chore: remove mihomo-party

feat: add netbird for homelab, keep tailscale for work (#225 )
refactor: grafana - add more datasources, rewrite in nix
2026-05-28 18:39:31 +02:00 · 2025-10-02 11:50:46 +08:00 · 2025-10-02 11:49:05 +08:00 · 2025-09-26 23:46:54 +08:00 · 2025-09-26 21:37:23 +08:00 · 2025-09-26 19:12:45 +08:00
408 changed files with 37607 additions and 9302 deletions
@@ -25,9 +25,9 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Install nix
-        uses: cachix/install-nix-action@v24
+        uses: cachix/install-nix-action@v31
        with:
          install_url: https://nixos.org/nix/install
          extra_nix_config: |
@@ -1,3 +1,4 @@
+.Trash-1000/
 result
 result/
 .direnv/
@@ -7,3 +8,4 @@ logs/
 core*
 !core/
 !core.nix
+!coredns*
@@ -1,10 +1,21 @@
 [files]
+# Respect .ignore files.
 ignore-dot = true
+# Respect ignore files.
 ignore-files = true
-extend-exclude = ["themes/", "data/", "static-surprises/", "resources/"]
+# Typos-specific ignore globs (gitignore syntax).
+# NOTE: This setting is ignored when you pass the path directly on the command line, as cachix/git-hooks.nix does.
+# To ignore those files, you must also exclude those directories via git-hooks.hooks.typos.settings.exclude.
+extend-exclude = [
+  "data/",
+  "rime-data/",
+]

 [default]
+# Check binary files as text.
 binary = false
+# Verify spelling in file names.
+check-filename = true
 # ignore some special identifiers(sha256, mac address, crypto keys, etc)
 extend-ignore-re = [
  "iterm2",
@@ -26,13 +26,13 @@ test:
 # Update all the flake inputs
 [group('nix')]
 up:
-  nix flake update
+  nix flake update --commit-lock-file

 # Update specific input
 # Usage: just upp nixpkgs
 [group('nix')]
 upp input:
-  nix flake update {{input}}
+  nix flake update {{input}} --commit-lock-file

 # List all generations of the system profile
 [group('nix')]
@@ -48,7 +48,10 @@ repl:
 # on darwin, you may need to switch to root user to run this command
 [group('nix')]
 clean:
+  # Wipe out NixOS's history
  sudo nix profile wipe-history --profile /nix/var/nix/profiles/system  --older-than 7d
+  # Wipe out home-manager's history
+  nix profile wipe-history --profile $"($env.XDG_STATE_HOME)/nix/profiles/home-manager" --older-than 7d

 # Garbage collect all unused nix store entries
 [group('nix')]
@@ -74,7 +77,7 @@ shell:
 [group('nix')]
 fmt:
  # format the nix files in this repo
-  nix fmt
+  ls **/*.nix | each { |it| nixfmt $it.name }

 # Show all the auto gc roots in the nix store
 [group('nix')]
@@ -94,29 +97,44 @@ verify-store:
 repair-store *paths:
  nix store repair {{paths}}

+# Update all Nixpkgs inputs
+[group('nix')]
+up-nix:
+  nix flake update nixpkgs nixpkgs-stable nixpkgs-unstable nixpkgs-darwin nixpkgs-ollama
+
 ############################################################################
 #
 #  NixOS Desktop related commands
 #
 ############################################################################

+# Deploy the nixosConfiguration by hostname match
+[linux]
+[group('homelab')]
+local mode="default":
+  #!/usr/bin/env nu
+  use {{utils_nu}} *;
+  nixos-switch (hostname) {{mode}}
+
+# Deploy the hyprland nixosConfiguration by hostname match
 [linux]
 [group('desktop')]
 hypr mode="default":
  #!/usr/bin/env nu
  use {{utils_nu}} *;
-  nixos-switch ai-hyprland {{mode}}
+  nixos-switch $"(hostname)-hyprland" {{mode}}

+# Deploy the niri nixosConfiguration by hostname match
 [linux]
 [group('desktop')]
-s-hypr mode="default":
+niri mode="default":
  #!/usr/bin/env nu
  use {{utils_nu}} *;
-  nixos-switch shoukei-hyprland {{mode}}
+  nixos-switch $"(hostname)-niri" {{mode}}

 ############################################################################
 #
-#  Darwin related commands, harmonica is my macbook pro's hostname
+#  Darwin related commands
 #
 ############################################################################

@@ -133,32 +151,15 @@ darwin-rollback:
  use {{utils_nu}} *;
  darwin-rollback

-# Deploy to harmonica(macOS host)
+# Deploy the darwinConfiguration by hostname match
 [macos]
 [group('desktop')]
-ha mode="default":
+local mode="default": 
  #!/usr/bin/env nu
  use {{utils_nu}} *;
-  darwin-build "harmonica" {{mode}};
-  darwin-switch "harmonica" {{mode}}
+  darwin-build (hostname) {{mode}};
+  darwin-switch (hostname) {{mode}}

-# Depoly to fern(macOS host)
-[macos]
-[group('desktop')]
-fe mode="default": 
-  #!/usr/bin/env nu
-  use {{utils_nu}} *;
-  darwin-build "fern" {{mode}};
-  darwin-switch "fern" {{mode}}
-
-# Depoly to frieren(macOS host)
-[macos]
-[group('desktop')]
-fr mode="default": 
-  #!/usr/bin/env nu
-  use {{utils_nu}} *;
-  darwin-build "frieren" {{mode}};
-  darwin-switch "frieren" {{mode}}

 # Reset launchpad to force it to reindex Applications
 [macos]
@@ -179,13 +180,6 @@ reset-launchpad:
 col tag:
  colmena apply --on '@{{tag}}' --verbose --show-trace

-[linux]
-[group('homelab')]
-local name mode="default":
-  #!/usr/bin/env nu
-  use {{utils_nu}} *;
-  nixos-switch {{name}} {{mode}}
-
 # Build and upload a vm image
 [linux]
 [group('homelab')]
@@ -205,37 +199,16 @@ lab:
 shoryu:
  colmena apply --on '@kubevirt-shoryu' --verbose --show-trace

-[linux]
-[group('homelab')]
-shoryu-local mode="default":
-  #!/usr/bin/env nu
-  use {{utils_nu}} *; 
-  nixos-switch kubevirt-shoryu {{mode}}
-
 [linux]
 [group('homelab')]
 shushou:
  colmena apply --on '@kubevirt-shushou' --verbose --show-trace

-[linux]
-[group('homelab')]
-shushou-local mode="default":
-  #!/usr/bin/env nu
-  use {{utils_nu}} *; 
-  nixos-switch kubevirt-shushou {{mode}}
-
 [linux]
 [group('homelab')]
 youko:
  colmena apply --on '@kubevirt-youko' --verbose --show-trace

-[linux]
-[group('homelab')]
-youko-local mode="default":
-  #!/usr/bin/env nu
-  use {{utils_nu}} *; 
-  nixos-switch kubevirt-youko {{mode}}
-
 ############################################################################
 #
 # Commands for other Virtual Machines
@@ -257,37 +230,16 @@ upload-idols mode="default":
 aqua:
  colmena apply --on '@aqua' --verbose --show-trace

-[linux]
-[group('homelab')]
-aqua-local mode="default":
-  #!/usr/bin/env nu
-  use {{utils_nu}} *; 
-  nixos-switch aquamarine {{mode}}
-
 [linux]
 [group('homelab')]
 ruby:
  colmena apply --on '@ruby' --verbose --show-trace

-[linux]
-[group('homelab')]
-ruby-local mode="default":
-  #!/usr/bin/env nu
-  use {{utils_nu}} *; 
-  nixos-switch ruby {{mode}}
-
 [linux]
 [group('homelab')]
 kana:
  colmena apply --on '@kana' --verbose --show-trace

-[linux]
-[group('homelab')]
-kana-local mode="default":
-  #!/usr/bin/env nu
-  use {{utils_nu}} *; 
-  nixos-switch kana {{mode}}
-
 ############################################################################
 #
 # Kubernetes related commands
@@ -375,3 +327,29 @@ list-failed:
 [group('services')]
 list-systemd:
  systemctl list-units systemd-*
+
+
+# =================================================
+#
+# Nixpkgs Review via Github Action
+# https://github.com/ryan4yin/nixpkgs-review-gha
+#
+# =================================================
+
+# Run nixpkgs-review for PR
+[linux]
+[group('nixpkgs')]
+pkg-review pr:
+  gh workflow run review.yml --repo ryan4yin/nixpkgs-review-gha -f x86_64-darwin=no -f post-result=true -f pr={{pr}}
+
+# Run package tests for PR
+[linux]
+[group('nixpkgs')]
+pkg-test pr pname:
+  gh workflow run review.yml --repo ryan4yin/nixpkgs-review-gha -f x86_64-darwin=no -f post-result=true -f pr={{pr}} -f extra-args="-p {{pname}}.passthru.tests"
+
+# View the summary of a workflow
+[linux]
+[group('nixpkgs')]
+pkg-summary:
+  gh workflow view review.yml --repo ryan4yin/nixpkgs-review-gha
@@ -56,15 +56,15 @@ You don't have to go through the pain I've experienced again! Check out my

 |                             | NixOS(Wayland)                                                                                                      |
 | --------------------------- | ------------------------------------------------------------------------------------------------------------------- |
-| **Window Manager**          | [Hyprland][Hyprland]                                                                                                |
-| **Terminal Emulator**       | [Zellij][Zellij] + [Kitty][Kitty]                                                                                   |
+| **Window Manager**          | [Hyprland][Hyprland] / [Niri][Niri]                                                                                 |
+| **Terminal Emulator**       | [Zellij][Zellij] + [foot][foot]/[Kitty][Kitty]/[Alacritty][Alacritty]/[Ghostty][Ghostty]                            |
 | **Bar**                     | [Waybar][Waybar]                                                                                                    |
 | **Application Launcher**    | [anyrun][anyrun]                                                                                                    |
 | **Notification Daemon**     | [Mako][Mako]                                                                                                        |
-| **Display Manager**         | [GDM][GDM]                                                                                                          |
-| **Color Scheme**            | [Catppuccin][Catppuccin]                                                                                            |
+| **Display Manager**         | [tuigreet][tuigreet]                                                                                                |
+| **Color Scheme**            | [catppuccin-nix][catppuccin-nix]                                                                                    |
 | **network management tool** | [NetworkManager][NetworkManager]                                                                                    |
-| **Input method framework**  | [Fcitx5][Fcitx5]                                                                                                    |
+| **Input method framework**  | [Fcitx5][Fcitx5] + [rime][rime] + [小鹤音形 flypy][flypy]                                                           |
 | **System resource monitor** | [Btop][Btop]                                                                                                        |
 | **File Manager**            | [Yazi][Yazi] + [thunar][thunar]                                                                                     |
 | **Shell**                   | [Nushell][Nushell] + [Starship][Starship]                                                                           |
@@ -72,9 +72,9 @@ You don't have to go through the pain I've experienced again! Check out my
 | **Text Editor**             | [Neovim][Neovim]                                                                                                    |
 | **Fonts**                   | [Nerd fonts][Nerd fonts]                                                                                            |
 | **Image Viewer**            | [imv][imv]                                                                                                          |
-| **Screenshot Software**     | [hyprshot][hyprshot]                                                                               |
+| **Screenshot Software**     | [hyprshot][hyprshot]                                                                                                |
 | **Screen Recording**        | [OBS][OBS]                                                                                                          |
-| **Filesystem & Encryption** | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] encrypted partition for persistent, unlock via passphrase |
+| **Filesystem & Encryption** | tmpfs as `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] encrypted partition for persistent, unlock via passphrase |
 | **Secure Boot**             | [lanzaboote][lanzaboote]                                                                                            |

 Wallpapers: https://github.com/ryan4yin/wallpapers
@@ -109,14 +109,16 @@ For NixOS:
 > To deploy this flake from NixOS's official ISO image (purest installation method), please refer to
 > [./nixos-installer/](./nixos-installer/)

-> Need to restart the machine when switching between `wayland` and `xorg`.
-
 ```bash
 # deploy one of the configuration based on the hostname
 sudo nixos-rebuild switch --flake .#ai-hyprland

 # deploy via `just`(a command runner with similar syntax to make) & Justfile
-just hypr  # deploy my pc with hyprland compositor
+# Deploy the hyprland nixosConfiguration by hostname match
+just hypr
+
+# Deploy the niri nixosConfiguration by hostname match
+just niri

 # or we can deploy with details
 just hypr debug
@@ -132,15 +134,11 @@ nix-shell -p just nushell
 # 3. comment home-manager's code in lib/macosSystem.nix to speed up the first deployment.
 # 4. comment out the proxy settings in scripts/darwin_set_proxy.py if the proxy is not ready yet.

-# 4. deploy harmonica's configuration(macOS Intel)
-just ha
-
-# deploy fern's configuration(Apple Silicon)
-just fe
+# Deploy the darwinConfiguration by hostname match
+just local

 # deploy with details
-just ha debug
-# just fe debug
+just local debug
 ```

 > [What y'all will need when Nix drives you to drink.](https://www.youtube.com/watch?v=Eni9PPPPBpg)
@@ -179,7 +177,11 @@ Other dotfiles that inspired me:
  - [1amSimp1e/dots](https://github.com/1amSimp1e/dots)

 [Hyprland]: https://github.com/hyprwm/Hyprland
+[Niri]: https://github.com/YaLTeR/niri
 [Kitty]: https://github.com/kovidgoyal/kitty
+[foot]: https://codeberg.org/dnkl/foot
+[Alacritty]: https://github.com/alacritty/alacritty
+[Ghostty]: https://github.com/ghostty-org/ghostty
 [Nushell]: https://github.com/nushell/nushell
 [Starship]: https://github.com/starship/starship
 [Waybar]: https://github.com/Alexays/Waybar
@@ -188,6 +190,8 @@ Other dotfiles that inspired me:
 [anyrun]: https://github.com/Kirottu/anyrun
 [Dunst]: https://github.com/dunst-project/dunst
 [Fcitx5]: https://github.com/fcitx/fcitx5
+[rime]: https://wiki.archlinux.org/title/Rime
+[flypy]: https://flypy.cc/
 [Btop]: https://github.com/aristocratos/btop
 [mpv]: https://github.com/mpv-player/mpv
 [Zellij]: https://github.com/zellij-org/zellij
@@ -198,10 +202,10 @@ Other dotfiles that inspired me:
 [OBS]: https://obsproject.com
 [Mako]: https://github.com/emersion/mako
 [Nerd fonts]: https://github.com/ryanoasis/nerd-fonts
-[catppuccin]: https://github.com/catppuccin/catppuccin
+[catppuccin-nix]: https://github.com/catppuccin/nix
 [NetworkManager]: https://wiki.gnome.org/Projects/NetworkManager
 [wl-clipboard]: https://github.com/bugaevc/wl-clipboard
-[GDM]: https://wiki.archlinux.org/title/GDM
+[tuigreet]: https://github.com/apognu/tuigreet
 [thunar]: https://gitlab.xfce.org/xfce/thunar
 [Yazi]: https://github.com/sxyazi/yazi
 [Catppuccin]: https://github.com/catppuccin/catppuccin
@@ -3,5 +3,21 @@
 This is my private Private Key Infrastructure (PKI) / Certificate Authority (CA) for my personal
 use. It is used to issue certificates for my own servers and services.

-All the private keys are ignored by git, and will be stored in my private secrets repo
-[../secrets](../secrets/)
+## Current Structure
+
+- **ecc-ca.crt** - ECC CA certificate file
+- **ecc-ca.srl** - CA serial number file for certificate tracking
+- **ecc-csr.conf** - OpenSSL configuration file for certificate signing requests
+- **ecc-server.crt** - Server certificate signed by the ECC CA
+- **gen-certs.sh** - Shell script to generate certificates automatically
+
+## Security Notes
+
+All private keys (`.key` files) are ignored by git and stored in a private secrets repository. The
+public certificates and configuration files are committed to this repository for reference.
+
+## Usage
+
+Run `./gen-certs.sh` to generate new certificates using the ECC CA configuration.
+
+See [../secrets](../secrets/) for the corresponding private key management.
@@ -16,14 +16,14 @@
  nixConfig = {
    # substituers will be appended to the default substituters when fetching packages
    extra-substituters = [
-      "https://anyrun.cachix.org"
      # "https://nix-gaming.cachix.org"
      # "https://nixpkgs-wayland.cachix.org"
+      # "https://install.determinate.systems"
    ];
    extra-trusted-public-keys = [
-      "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
      # "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
      # "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
+      # "cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="
    ];
  };

@@ -41,6 +41,8 @@

    nixpkgs-ollama.url = "github:nixos/nixpkgs/nixos-unstable";

+    nixpkgs-patched.url = "github:ryan4yin/nixpkgs/nixos-unstable-patched";
+
    # for macos
    # nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-25.05-darwin";
    nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-unstable";
@@ -48,7 +50,6 @@
      url = "github:lnl7/nix-darwin";
      inputs.nixpkgs.follows = "nixpkgs-darwin";
    };
-    nixos-hardware.url = "github:NixOS/nixos-hardware/master";

    # home-manager, used for managing user configuration
    home-manager = {
@@ -61,18 +62,29 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

+    determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
+
+    # https://github.com/catppuccin/nix
+    catppuccin = {
+      url = "github:catppuccin/nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
    lanzaboote = {
      url = "github:nix-community/lanzaboote/v0.4.2";
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    impermanence.url = "github:nix-community/impermanence";
+    preservation = {
+      url = "github:nix-community/preservation";
+    };

    # community wayland nixpkgs
    # nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
+
    # anyrun - a wayland launcher
    anyrun = {
-      url = "github:Kirottu/anyrun";
+      url = "github:/anyrun-org/anyrun/v25.9.0";
      inputs.nixpkgs.follows = "nixpkgs";
    };

@@ -90,8 +102,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    nix-gaming.url = "github:fufexan/nix-gaming";
-
    disko = {
      url = "github:nix-community/disko/v1.11.0";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -99,11 +109,14 @@

    # add git hooks to format nix code before commit
    pre-commit-hooks = {
-      url = "github:cachix/pre-commit-hooks.nix";
+      url = "github:cachix/git-hooks.nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    nuenv.url = "github:DeterminateSystems/nuenv";
+    nuenv = {
+      url = "github:DeterminateSystems/nuenv";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };

    haumea = {
      url = "github:nix-community/haumea/v0.2.2";
@@ -119,7 +132,29 @@
      url = "github:ghostty-org/ghostty";
    };

-    blender-bin.url = "github:edolstra/nix-warez?dir=blender";
+    blender-bin = {
+      url = "github:edolstra/nix-warez?dir=blender";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nixos-apple-silicon = {
+      # 2025-08-25 asahi-6.15.10-3
+      url = "github:nix-community/nixos-apple-silicon/b99bf9bf7445416fe55da09034fc4a6cd733805c";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    niri.url = "github:sodiboo/niri-flake";
+
+    # -------------- Gaming ---------------------
+
+    nix-gaming = {
+      url = "github:fufexan/nix-gaming";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    aagl = {
+      url = "github:ezKEa/aagl-gtk-on-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };

    ########################  Some non-flake repositories  #########################################

@@ -137,13 +172,21 @@
      flake = false;
    };

+    my-asahi-firmware = {
+      url = "git+ssh://git@github.com/ryan4yin/asahi-firmware.git?shallow=1";
+      flake = false;
+    };
+
    # my wallpapers
    wallpapers = {
      url = "github:ryan4yin/wallpapers";
      flake = false;
    };

-    nur-ryan4yin.url = "github:ryan4yin/nur-packages";
+    nur-ryan4yin = {
+      url = "github:ryan4yin/nur-packages";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };

    # for waydroid
    # nur-ataraxiasjel.url = "github:AtaraxiaSjel/nur";
@@ -7,21 +7,58 @@
 - **System Level**: Protect critical files from being accessed by untrusted applications.
  1. Such as browser cookies, SSH keys, etc.
 - **Per-App Level**: Prevent untrusted applications(such as closed-source apps) from:
-  1.  Accessing files they shouldn't.
-      - Such as a malicious application accessing your browser's cookies, SSH Keys, etc.
-  1.  Accessing the network when they don't need to.
-  1.  Accessing hardware devices they don't need.
+  1. Accessing files they shouldn't.
+     - Such as a malicious application accessing your browser's cookies, SSH Keys, etc.
+  1. Accessing the network when they don't need to.
+  1. Accessing hardware devices they don't need.

-## Current Status
+## Current Structure

-1. **System Level**:
-   - [ ] AppArmor
-   - [ ] Kernel & System Hardening
-1. **Per-App Level**:
-   - Nixpak (Bubblewrap)
-     - [x] QQ
-     - [x] Firefox
-   - [ ] Firejail (risk? not enabled yet)
+### 1. **System Level**
+
+- **AppArmor** (`apparmor/`): AppArmor profiles and configuration
+- **Kernel & System Hardening** (`profiles/`): System-wide hardening profiles
+
+### 2. **Per-App Level**
+
+- **Nixpak** (`nixpaks/`): Bubblewrap-based sandboxing for applications
+  - Firefox configuration
+  - QQ (Chinese messaging app) configuration
+  - Modular system with reusable components
+- **Firejail** (legacy): SUID-based sandboxing (not used)
+- **Bubblewrap** (`bwraps/`): Direct bubblewrap configurations
+  - WeChat sandboxing configuration
+
+## Current Implementation Status
+
+| Component         | Status    | Notes                          |
+| ----------------- | --------- | ------------------------------ |
+| AppArmor Profiles | 🚧 WIP    | Basic structure in place       |
+| Nixpak Firefox    | ✅ Active | Firefox sandboxing via nixpak  |
+| Nixpak QQ         | ✅ Active | QQ application sandboxing      |
+| Bubblewrap WeChat | ✅ Active | WeChat specific sandboxing     |
+| System Profiles   | 🚧 WIP    | Hardened system configurations |
+
+## Directory Structure
+
+```
+hardening/
+├── README.md
+├── apparmor/           # AppArmor security profiles
+│   └── default.nix
+├── bwraps/            # Direct bubblewrap configurations
+│   ├── default.nix
+│   └── wechat.nix
+├── nixpaks/           # Nixpak application sandboxing
+│   ├── default.nix
+│   ├── firefox.nix
+│   ├── qq.nix
+│   └── modules/       # Reusable nixpak modules
+│       ├── gui-base.nix
+│       └── network.nix
+└── profiles/          # System hardening profiles
+    └── default.nix
+```

 ## Kernel Hardening

@@ -32,26 +69,27 @@

 - NixOS Profile:
  https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/profiles/hardened.nix
- Apparmor: [roddhjav/apparmor.d)](https://github.com/roddhjav/apparmor.d)
+- Apparmor: [roddhjav/apparmor.d](https://github.com/roddhjav/apparmor.d)
  - https://gitlab.com/apparmor/apparmor/-/wikis/Documentation
  - AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based
    applications and processes.
-  - Nix Package:
-    [roddhjav-apparmor-rules](https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/ro/roddhjav-apparmor-rules/package.nix#L33)
-  - https://github.com/NixOS/nixpkgs/issues/331645
-  - https://github.com/LordGrimmauld/aa-alias-manager
+  - But all the profiles of AppArmor assume a FHS filesystem, which caused all apparmor policies
+    takes no effect on NixOS.
+  - Apparmor on NixOS Roadmap:
+    - https://discourse.nixos.org/t/apparmor-on-nixos-roadmap/57217
+    - https://github.com/LordGrimmauld/aa-alias-manager
 - SELinux: too complex, not recommended for personal use.

 ## Application Sandboxing

+- [Bubblewrap](https://github.com/containers/bubblewrap):
+  [nixpak](https://github.com/nixpak/nixpak), more secure than firejail, but no batteries included.
+  - NixOS's FHSEnv is implemented using bubblewrap by default.
 - [Firejail](https://github.com/netblue30/firejail/tree/master/etc): A SUID security sandbox with
  hundreds of security profiles for many common applications in the default installation.
  - https://wiki.nixos.org/wiki/Firejail
  - Firejail needs SUID to work, which is considered a security risk -
    [Does firejail improve the security of my system?](https://github.com/netblue30/firejail/discussions/4601)
- [Bubblewrap](https://github.com/containers/bubblewrap):
-  [nixpak](https://github.com/nixpak/nixpak), more secure than firejail, but no batteries included.
-  - NixOS's FHSEnv is implemented using bubblewrap by default.
 - [Systemd/Hardening](https://wiki.nixos.org/wiki/Systemd/Hardening): Systemd also provides some
  sandboxing features.

@@ -67,21 +105,11 @@ provide a much higher level of security.
 - [Harden your NixOS workstation - dataswamp](https://dataswamp.org/~solene/2022-01-13-nixos-hardened.html)
 - [Linux Insecurities - Madaidans](https://madaidans-insecurities.github.io/linux.html)
 - [Sandboxing all programs by default - NixOS Discourse](https://discourse.nixos.org/t/sandboxing-all-programs-by-default/7792)
- [在 Firejail 中运行 Steam](https://imbearchild.cyou/archives/2021/11/steam-in-firejail/)
- [Firejail - Arch Linux Wiki](https://wiki.archlinux.org/title/Firejail)
 - [Paranoid NixOS Setup - xeiaso](https://xeiaso.net/blog/paranoid-nixos-2021-07-18/)
 - [nix-mineral](https://github.com/cynicsketch/nix-mineral): NixOS module for convenient system
  hardening.
- nixpak configs:
-  - https://github.com/pokon548/OysterOS/tree/b97604d89953373d6316286b96f6a964af2c398d/desktop/application
-  - https://github.com/segment-tree/my-nixos/tree/ceb6041f73bd9edcb78a8818b27a28f7c629193b/hm/me/apps/nixpak
-  - https://github.com/Keksgesicht/nixos-config/tree/91cc77d8d6b598da7c4dbed143e0009c2dea6940/packages/nixpak
-  - https://github.com/bluskript/nix-config/blob/7ecb6a7254c1ac4969072f4c4febdc19f8b83b30/pkgs/nixpak/default.nix
- firejail configs:
-  - https://github.com/stelcodes/nixos-config/blob/f8967c82a5e5f3d128eb1aaf7498b5f918f719ec/packages/overlay.nix#L261
 - apparmor configs:
-  - https://github.com/sukhmancs/nixos-configs/blob/7fcf737c506ad843113cd5b94796b49d4d4dfad2/modules/shared/security/apparmor/default.nix#L8
  - https://github.com/zramctl/dotfiles/blob/4fe177f6984154960942bb47d5a375098ec6ed6a/modules/nixos/security/apparmor.nix#L4
+  - https://git.grimmauld.de/Grimmauld/grimm-nixos-laptop/src/branch/main/hardening
 - Others:
  - Directly via `buildFHSUserEnvBubblewrap`:
-    https://github.com/xddxdd/nur-packages/blob/master/pkgs/uncategorized/wechat-uos/default.nix
@@ -2,7 +2,8 @@
  config,
  pkgs,
  ...
-}: {
+}:
+{
  services.dbus.apparmor = "enabled";
  security.apparmor = {
    enable = true;
@@ -0,0 +1,9 @@
+{
+  nixpkgs.overlays = [
+    (_: super: {
+      bwraps = {
+        wechat = super.callPackage ./wechat.nix { };
+      };
+    })
+  ];
+}
@@ -0,0 +1,99 @@
+# - wechat's flatpak manifest: https://github.com/flathub/com.tencent.WeChat/blob/master/com.tencent.WeChat.yaml
+# Refer:
+# - Flatpak manifest's docs:
+#   - https://docs.flatpak.org/en/latest/manifests.html
+#   - https://docs.flatpak.org/en/latest/sandbox-permissions.html
+#
+# TODO Since appimageTools.wrapAppImage do not support overriding, I have to pack this package myself.
+# https://github.com/NixOS/nixpkgs/pull/358977
+{
+  appimageTools,
+  fetchurl,
+  stdenvNoCC,
+}:
+let
+  pname = "wechat";
+  # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/we/wechat/package.nix
+  sources = {
+    aarch64-linux = {
+      version = "4.0.1.11";
+      src = fetchurl {
+        url = "https://web.archive.org/web/20250512112413if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_arm64.AppImage";
+        hash = "sha256-Rg+FWNgOPC02ILUskQqQmlz1qNb9AMdvLcRWv7NQhGk=";
+      };
+    };
+    x86_64-linux = {
+      version = "4.0.1.11";
+      src = fetchurl {
+        url = "https://web.archive.org/web/20250512110825if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_x86_64.AppImage";
+        hash = "sha256-gBWcNQ1o1AZfNsmu1Vi1Kilqv3YbR+wqOod4XYAeVKo=";
+      };
+    };
+  };
+
+  inherit (stdenvNoCC.hostPlatform) system;
+  inherit (sources.${system} or (throw "Unsupported system: ${system}")) version src;
+
+  # https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/we/wechat/linux.nix
+  appimageContents = appimageTools.extract {
+    inherit pname version src;
+    postExtract = ''
+      patchelf --replace-needed libtiff.so.5 libtiff.so $out/opt/wechat/wechat
+    '';
+  };
+in
+appimageTools.wrapAppImage {
+  inherit pname version;
+
+  src = appimageContents;
+
+  extraInstallCommands = ''
+    mkdir -p $out/share/applications
+    cp ${appimageContents}/wechat.desktop $out/share/applications/
+    mkdir -p $out/share/pixmaps
+    cp ${appimageContents}/wechat.png $out/share/pixmaps/
+
+    substituteInPlace $out/share/applications/wechat.desktop --replace-fail AppRun wechat
+  '';
+
+  # Add these root paths to FHS sandbox to prevent WeChat from accessing them by default
+  # Adapted from https://aur.archlinux.org/cgit/aur.git/tree/wechat-universal.sh?h=wechat-universal-bwrap
+  extraPreBwrapCmds = ''
+    XDG_DOCUMENTS_DIR="''${XDG_DOCUMENTS_DIR:-$(xdg-user-dir DOCUMENTS)}"
+    if [[ -z "''${XDG_DOCUMENTS_DIR}" ]]; then
+        echo 'Error: Failed to get XDG_DOCUMENTS_DIR, refuse to continue'
+        exit 1
+    fi
+
+    WECHAT_DATA_DIR="''${XDG_DOCUMENTS_DIR}/WeChat_Data"
+
+    # Using ''${WECHAT_DATA_DIR} as Wechat Data folder
+    WECHAT_HOME_DIR="''${WECHAT_DATA_DIR}/home"
+    WECHAT_FILES_DIR="''${WECHAT_DATA_DIR}/xwechat_files"
+
+    mkdir -p "''${WECHAT_FILES_DIR}"
+    mkdir -p "''${WECHAT_HOME_DIR}"
+    ln -snf "''${WECHAT_FILES_DIR}" "''${WECHAT_HOME_DIR}/xwechat_files"
+  '';
+  extraBwrapArgs = [
+    "--tmpfs /home"
+    "--tmpfs /root"
+    # format: --bind <host-path> <sandbox-path>
+    "--bind \${WECHAT_HOME_DIR} \${HOME}"
+    "--bind \${WECHAT_FILES_DIR} \${WECHAT_FILES_DIR}"
+    "--chdir \${HOME}"
+    # wechat-universal only supports xcb
+    "--setenv QT_QPA_PLATFORM xcb"
+    "--setenv QT_AUTO_SCREEN_SCALE_FACTOR 1"
+    # use fcitx as IME
+    "--setenv QT_IM_MODULE fcitx"
+    "--setenv GTK_IM_MODULE fcitx"
+  ];
+  chdirToPwd = false;
+  unshareNet = false;
+  unshareIpc = true;
+  unsharePid = true;
+  unshareUts = true;
+  unshareCgroup = true;
+  privateTmp = true;
+}
@@ -1,71 +0,0 @@
-{pkgs, ...}: let
-  firejailWrapper = import ./firejailWrapper.nix pkgs;
-in {
-  programs.firejail.enable = true;
-
-  # Add firejailed Apps into nixsuper, and reference them in home-manager or other nixos modules
-  nixpkgs.overlays = [
-    (_: super: {
-      firejailed = {
-        steam = firejailWrapper {
-          name = "steam-firejailed";
-          executable = "${super.steam}/bin/steam";
-          profile = "${super.firejail}/etc/firejail/steam.profile";
-        };
-        steam-run = firejailWrapper {
-          name = "steam-run-firejailed";
-          executable = "${super.steam}/bin/steam-run";
-          profile = "${super.firejail}/etc/firejail/steam.profile";
-        };
-
-        # firefox = firejailWrapper {
-        #   name = "firefox-firejailed";
-        #   executable = "${super.lib.getBin super.firefox-wayland}/bin/firefox";
-        #   profile = "${super.firejail}/etc/firejail/firefox.profile";
-        # };
-        # chromium = firejailWrapper {
-        #   name = "chromium-firejailed";
-        #   executable = "${super.lib.getBin super.ungoogled-chromium}/bin/chromium";
-        #   profile = "${super.firejail}/etc/firejail/chromium.profile";
-        # };
-
-        mpv = firejailWrapper {
-          executable = "${super.lib.getBin super.mpv}/bin/mpv";
-          profile = "${super.firejail}/etc/firejail/mpv.profile";
-        };
-        imv = firejailWrapper {
-          executable = "${super.lib.getBin super.imv}/bin/imv";
-          profile = "${super.firejail}/etc/firejail/imv.profile";
-        };
-        zathura = firejailWrapper {
-          executable = "${super.lib.getBin super.zathura}/bin/zathura";
-          profile = "${super.firejail}/etc/firejail/zathura.profile";
-        };
-        slack = firejailWrapper {
-          executable = "${super.lib.getBin super.slack}/bin/slack";
-          profile = "${super.firejail}/etc/firejail/slack.profile";
-        };
-        telegram-desktop = firejailWrapper {
-          executable = "${super.lib.getBin super.tdesktop}/bin/telegram-desktop";
-          profile = "${super.firejail}/etc/firejail/telegram-desktop.profile";
-        };
-        brave = firejailWrapper {
-          executable = "${super.lib.getBin super.brave}/bin/brave";
-          profile = "${super.firejail}/etc/firejail/brave.profile";
-        };
-        qutebrowser = firejailWrapper {
-          executable = "${super.lib.getBin super.qutebrowser}/bin/qutebrowser";
-          profile = "${super.firejail}/etc/firejail/qutebrowser.profile";
-        };
-        thunar = firejailWrapper {
-          executable = "${super.lib.getBin super.xfce.thunar}/bin/thunar";
-          profile = "${super.firejail}/etc/firejail/thunar.profile";
-        };
-        vscodium = firejailWrapper {
-          executable = "${super.lib.getBin super.vscodium}/bin/vscodium";
-          profile = "${super.firejail}/etc/firejail/vscodium.profile";
-        };
-      };
-    })
-  ];
-}
@@ -1,35 +0,0 @@
-# https://www.reddit.com/r/NixOS/comments/1b56jdx/simple_nix_function_for_wrapping_executables_with/
-pkgs: {
-  name ? "firejail-wrapper",
-  executable,
-  desktop ? null,
-  profile ? null,
-  extraArgs ? [],
-}:
-pkgs.runCommand name
-{
-  preferLocalBuild = true;
-  allowSubstitutes = false;
-  meta.priority = -1; # take precedence over non-firejailed versions
-}
-(
-  let
-    firejailArgs = pkgs.lib.concatStringsSep " " (
-      extraArgs ++ (pkgs.lib.optional (profile != null) "--profile=${toString profile}")
-    );
-  in
-    ''
-      command_path="$out/bin/$(basename ${executable})-jailed"
-      mkdir -p $out/bin
-      mkdir -p $out/share/applications
-      cat <<'_EOF' >"$command_path"
-      #! ${pkgs.runtimeShell} -e
-      exec /run/wrappers/bin/firejail ${firejailArgs} -- ${toString executable} "\$@"
-      _EOF
-      chmod 0755 "$command_path"
-    ''
-    + pkgs.lib.optionalString (desktop != null) ''
-      substitute ${desktop} $out/share/applications/$(basename ${desktop}) \
-        --replace ${executable} "$command_path"
-    ''
-)
@@ -1,8 +1,10 @@
 {
  pkgs,
+  pkgs-patched,
  nixpak,
  ...
-}: let
+}:
+let
  callArgs = {
    mkNixPak = nixpak.lib.nixpak {
      inherit (pkgs) lib;
@@ -13,20 +15,17 @@
      (sloth.concat' sloth.homeDir mapdir)
    ];
  };
-  wrapper = _pkgs: path: (_pkgs.callPackage path callArgs).config.script;
-in {
+  wrapper = _pkgs: path: (_pkgs.callPackage path callArgs);
+in
+{
  # Add nixpaked Apps into nixpkgs, and reference them in home-manager or other nixos modules
  nixpkgs.overlays = [
    (_: super: {
      nixpaks = {
-        qq = wrapper super ./qq.nix;
-        qq-desktop-item = super.callPackage ./qq-desktop-item.nix {};
-
-        wechat-uos = wrapper super ./wechat-uos.nix;
-        wechat-uos-desktop-item = super.callPackage ./wechat-uos-desktop-item.nix {};
-
+        qq = wrapper pkgs-patched ./qq.nix;
+        wechat = wrapper super ./wechat.nix;
+        telegram-desktop = wrapper super ./telegram-desktop.nix;
        firefox = wrapper super ./firefox.nix;
-        firefox-desktop-item = super.callPackage ./firefox-desktop-item.nix {};
      };
    })
  ];
@@ -1,11 +0,0 @@
-{makeDesktopItem}:
-makeDesktopItem {
-  name = "firefox";
-  desktopName = "firefox";
-  exec = "firefox %U";
-  terminal = false;
-  icon = "firefox";
-  type = "Application";
-  categories = ["Network"];
-  comment = "firefox boxed";
-}
@@ -5,72 +5,136 @@
 # - Firefox's flatpak manifest: https://hg.mozilla.org/mozilla-central/file/tip/taskcluster/docker/firefox-flatpak/runme.sh#l151
 {
  lib,
-  pkgs,
+  firefox-wayland,
  mkNixPak,
+  buildEnv,
+  makeDesktopItem,
  ...
 }:
-mkNixPak {
-  config = {
-    config,
-    sloth,
-    ...
-  }: {
-    app = {
-      package = pkgs.firefox-wayland;
-      binPath = "bin/firefox";
-    };
-    flatpak.appId = "org.mozilla.firefox";

-    imports = [
-      ./modules/gui-base.nix
-      ./modules/network.nix
-    ];
+let
+  appId = "org.mozilla.firefox";
+  wrapped = mkNixPak {
+    config =
+      {
+        config,
+        sloth,
+        ...
+      }:
+      {
+        app = {
+          package = firefox-wayland;
+          binPath = "bin/firefox";
+        };
+        flatpak.appId = appId;

-    # list all dbus services:
-    #   ls -al /run/current-system/sw/share/dbus-1/services/
-    #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
-    dbus.policies = {
-      "org.mozilla.firefox.*" = "own"; # firefox
-      "org.mozilla.firefox_beta.*" = "own"; # firefox beta
-      "org.mpris.MediaPlayer2.firefox.*" = "own";
-      "org.freedesktop.NetworkManager" = "talk";
-    };
+        imports = [
+          ./modules/gui-base.nix
+          ./modules/network.nix
+          ./modules/common.nix
+        ];

-    bubblewrap = {
-      # To trace all the home files QQ accesses, you can use the following nushell command:
-      #   just trace-access firefox
-      # See the Justfile in the root of this repository for more information.
-      bind.rw = [
-        # given the read write permission to the following directories.
-        # NOTE: sloth.mkdir is used to create the directory if it does not exist!
-        (sloth.mkdir (sloth.concat' sloth.homeDir "/.mozilla"))
+        # list all dbus services:
+        #   ls -al /run/current-system/sw/share/dbus-1/services/
+        #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
+        dbus.policies = {
+          "org.mozilla.firefox.*" = "own"; # firefox
+          "org.mozilla.firefox_beta.*" = "own"; # firefox beta
+          "org.mpris.MediaPlayer2.firefox.*" = "own";

-        # ================ for externsions ===============================
-        # required by https://github.com/browserpass/browserpass-extension
-        (sloth.concat' sloth.homeDir "/.local/share/password-store") # pass
-        sloth.xdgDownloadDir
-        sloth.xdgDocumentsDir
-      ];
-      bind.ro = [
-        # To actually make Firefox run
-        "/sys/bus/pci"
-        ["${config.app.package}/lib/firefox" "/app/etc/firefox"]
+          "org.gnome.Shell.Screencast" = "talk";
+          # System tray icon
+          "org.freedesktop.Notifications" = "talk";
+          "org.kde.StatusNotifierWatcher" = "talk";
+        };

-        # Unsure
-        (sloth.concat' sloth.xdgConfigHome "/dconf")
-      ];
+        bubblewrap = {
+          # To trace all the home files Firefox accesses, you can use the following nushell command:
+          #   just trace-access firefox
+          # See the Justfile in the root of this repository for more information.
+          bind.rw = [
+            # given the read write permission to the following directories.
+            # NOTE: sloth.mkdir is used to create the directory if it does not exist!
+            (sloth.mkdir (sloth.concat' sloth.homeDir "/.mozilla"))

-      sockets = {
-        x11 = false;
-        wayland = true;
-        pipewire = true;
+            sloth.xdgDocumentsDir
+            sloth.xdgDownloadDir
+            sloth.xdgMusicDir
+            sloth.xdgVideosDir
+          ];
+          bind.ro = [
+            "/sys/bus/pci"
+            [
+              "${config.app.package}/lib/firefox"
+              "/app/etc/firefox"
+            ]
+
+            # ================ for browserpass extension ===============================
+            "/etc/gnupg"
+            (sloth.concat' sloth.homeDir "/.gnupg") # gpg's config
+            (sloth.concat' sloth.homeDir "/.local/share/password-store") # my secrets
+            (sloth.concat' sloth.runtimeDir "/gnupg") # for access gpg-agent socket
+
+            # Unsure
+            (sloth.concat' sloth.xdgConfigHome "/dconf")
+          ];
+
+          sockets = {
+            x11 = false;
+            wayland = true;
+            pipewire = true;
+          };
+        };
      };
-      bind.dev = [
-        "/dev/shm" # Shared Memory
-      ];
-      tmpfs = [
-        "/tmp"
-      ];
-    };
  };
+  exePath = lib.getExe wrapped.config.script;
+in
+buildEnv {
+  inherit (wrapped.config.script) name meta passthru;
+  paths = [
+    wrapped.config.script
+    (makeDesktopItem {
+      name = appId;
+      desktopName = "Firefox";
+      genericName = "Firefox Boxed";
+      comment = "Firefox Browser";
+      exec = "${exePath} %U";
+      terminal = false;
+      icon = "firefox";
+      startupNotify = true;
+      startupWMClass = "firefox";
+      type = "Application";
+      categories = [
+        "Network"
+        "WebBrowser"
+      ];
+      mimeTypes = [
+        "text/html"
+        "text/xml"
+        "application/xhtml+xml"
+        "application/vnd.mozilla.xul+xml"
+        "x-scheme-handler/http"
+        "x-scheme-handler/https"
+      ];
+
+      actions = {
+        new-private-window = {
+          name = "New Private Window";
+          exec = "${exePath} --private-window %U";
+        };
+        new-window = {
+          name = "New Window";
+          exec = "${exePath} --new-window %U";
+        };
+        profile-manager-window = {
+          name = "Profile Manager";
+          exec = "${exePath} --ProfileManager";
+        };
+      };
+
+      extraConfig = {
+        X-Flatpak = appId;
+      };
+    })
+  ];
 }
@@ -0,0 +1,236 @@
+{
+  lib,
+  pkgs,
+  sloth,
+  config,
+  ...
+}:
+{
+  config = {
+    dbus =
+      let
+        inherit (config.flatpak) appId;
+      in
+      {
+        policies = {
+          "${appId}" = "own";
+          "${appId}.*" = "own";
+          "org.freedesktop.DBus" = "talk";
+          "org.gtk.vfs.*" = "talk";
+          "org.gtk.vfs" = "talk";
+          "ca.desrt.dconf" = "talk";
+          "org.freedesktop.portal.*" = "talk";
+          "org.a11y.Bus" = "talk";
+          "org.freedesktop.appearance" = "talk";
+          "org.freedesktop.appearance.*" = "talk";
+        }
+        // (builtins.listToAttrs (
+          map (id: lib.nameValuePair "org.kde.StatusNotifierItem-${toString id}-1" "own") (
+            lib.lists.range 2 11
+          )
+        ))
+        // {
+          # --- MPRIS Media Control ---
+          # Allows the app to register as a media player. These are derived from the appID.
+          "org.mpris.MediaPlayer2.${appId}" = "own";
+          "org.mpris.MediaPlayer2.${appId}.*" = "own";
+          "org.mpris.MediaPlayer2.${lib.lists.last (lib.strings.splitString "." appId)}" = "own";
+          "org.mpris.MediaPlayer2.${lib.lists.last (lib.strings.splitString "." appId)}.*" = "own";
+          # Conditionally allows a custom, friendlier MPRIS name if 'mprisName' is set.
+          #       "org.mpris.MediaPlayer2.${mprisName}" = "own";
+          #       "org.mpris.MediaPlayer2.${mprisName}.*" = "own";
+
+          # --- General Desktop Integration ---
+          "com.canonical.AppMenu.Registrar" = "talk"; # For Ubuntu AppMenu
+          "org.freedesktop.FileManager1" = "talk";
+          "org.freedesktop.Notifications" = "talk";
+
+          # --- Accessibility (a11y) ---
+          "org.a11y.Bus" = "see";
+
+          # --- Portal Access ---
+          "org.freedesktop.portal.Documents" = "talk";
+          "org.freedesktop.portal.FileTransfer" = "talk";
+          "org.freedesktop.portal.FileTransfer.*" = "talk";
+          "org.freedesktop.portal.Notification" = "talk";
+          "org.freedesktop.portal.OpenURI" = "talk";
+          "org.freedesktop.portal.OpenURI.OpenFile" = "talk";
+          "org.freedesktop.portal.OpenURI.OpenURI" = "talk";
+          "org.freedesktop.portal.Print" = "talk";
+          "org.freedesktop.portal.Request" = "see";
+
+          # --- Input Method Portals ---
+          "org.freedesktop.portal.Fcitx" = "talk";
+          "org.freedesktop.portal.Fcitx.*" = "talk";
+          "org.freedesktop.portal.IBus" = "talk";
+          "org.freedesktop.portal.IBus.*" = "talk";
+        };
+        rules = {
+          # 'call' rules permit specific method calls on D-Bus interfaces.
+          call = {
+            # --- Accessibility ---
+            "org.a11y.Bus" = [
+              "org.a11y.Bus.GetAddress@/org/a11y/bus"
+              "org.freedesktop.DBus.Properties.Get@/org/a11y/bus"
+            ];
+
+            # --- General Portal Rules ---
+            "org.freedesktop.FileManager1" = [ "*" ];
+            "org.freedesktop.Notifications.*" = [ "*" ];
+            "org.freedesktop.portal.Documents" = [ "*" ];
+            "org.freedesktop.portal.FileTransfer" = [ "*" ];
+            "org.freedesktop.portal.FileTransfer.*" = [ "*" ];
+            "org.freedesktop.portal.Fcitx" = [ "*" ];
+            "org.freedesktop.portal.Fcitx.*" = [ "*" ];
+            "org.freedesktop.portal.IBus" = [ "*" ];
+            "org.freedesktop.portal.IBus.*" = [ "*" ];
+            "org.freedesktop.portal.Notification" = [ "*" ];
+            "org.freedesktop.portal.OpenURI" = [ "*" ];
+            "org.freedesktop.portal.OpenURI.OpenFile" = [ "*" ];
+            "org.freedesktop.portal.OpenURI.OpenURI" = [ "*" ];
+            "org.freedesktop.portal.Print" = [ "*" ];
+            "org.freedesktop.portal.Request" = [ "*" ];
+
+            # --- Main Desktop Portal Interface ---
+            # A comprehensive list of permissions for interacting with the desktop environment.
+            "org.freedesktop.portal.Desktop" = [
+              # Device Access
+              "org.freedesktop.portal.Camera"
+              "org.freedesktop.portal.Camera.*"
+              "org.freedesktop.portal.Usb"
+              "org.freedesktop.portal.Usb.*"
+
+              # File Chooser & Documents
+              "org.freedesktop.portal.Documents"
+              "org.freedesktop.portal.Documents.*"
+              "org.freedesktop.portal.FileChooser"
+              "org.freedesktop.portal.FileChooser.*"
+              "org.freedesktop.portal.FileTransfer"
+              "org.freedesktop.portal.FileTransfer.*"
+
+              # Input Methods
+              "org.freedesktop.portal.Fcitx"
+              "org.freedesktop.portal.Fcitx.*"
+              "org.freedesktop.portal.IBus"
+              "org.freedesktop.portal.IBus.*"
+
+              # Notifications & Printing
+              "org.freedesktop.portal.Notification"
+              "org.freedesktop.portal.Notification.*"
+              "org.freedesktop.portal.Print"
+              "org.freedesktop.portal.Print.*"
+
+              # Open/Launch Handlers
+              "org.freedesktop.portal.Email.ComposeEmail"
+              "org.freedesktop.portal.OpenURI"
+              "org.freedesktop.portal.OpenURI.*"
+
+              # Properties & Session Management
+              "org.freedesktop.DBus.Properties.GetAll"
+              "org.freedesktop.DBus.Properties.Get@/org/freedesktop/portal/desktop"
+              "org.freedesktop.portal.Session.Close"
+
+              # Screen Capture & Sharing
+              "org.freedesktop.portal.RemoteDesktop"
+              "org.freedesktop.portal.RemoteDesktop.*"
+              "org.freedesktop.portal.ScreenCast"
+              "org.freedesktop.portal.ScreenCast.*"
+              "org.freedesktop.portal.Screenshot"
+              "org.freedesktop.portal.Screenshot.Screenshot"
+
+              # Secrets (Keyring)
+              "org.freedesktop.portal.Secret"
+              "org.freedesktop.portal.Secret.RetrieveSecret"
+
+              # Settings
+              "org.freedesktop.portal.Settings.Read"
+              "org.freedesktop.portal.Settings.ReadAll"
+
+              # System Information
+              "org.freedesktop.portal.Account.GetUserInformation"
+              "org.freedesktop.portal.NetworkMonitor"
+              "org.freedesktop.portal.NetworkMonitor.*"
+              "org.freedesktop.portal.ProxyResolver.Lookup"
+              "org.freedesktop.portal.ProxyResolver.Lookup.*"
+
+              # Generic Request Fallback
+              "org.freedesktop.portal.Request"
+
+              # --- Conditional Portal Rules ---
+              # These would be enabled based on config flags in a real implementation.
+
+              # Enabled if 'allowGlobalShortcuts = true'
+              "org.freedesktop.portal.GlobalShortcuts"
+              "org.freedesktop.portal.GlobalShortcuts.*"
+
+              # Enabled if 'allowInhibit = true'
+              "org.freedesktop.portal.Inhibit"
+              "org.freedesktop.portal.Inhibit.*"
+
+              # Enabled if 'XDG_CURRENT_DESKTOP = "GNOME"'
+              "org.freedesktop.portal.Location"
+              "org.freedesktop.portal.Location.*"
+            ];
+          };
+
+          # 'broadcast' rules permit receiving signals from D-Bus names.
+          broadcast = {
+            "org.freedesktop.portal.*" = [ "@/org/freedesktop/portal/*" ];
+          };
+        };
+        args = [
+          "--filter"
+          "--sloppy-names"
+          "--log"
+        ];
+      };
+
+    etc.sslCertificates.enable = true;
+    bubblewrap = {
+      network = lib.mkDefault true;
+      sockets = {
+        wayland = true;
+        pulse = true;
+      };
+
+      bind.rw = with sloth; [
+        [
+          (mkdir appDataDir)
+          xdgDataHome
+        ]
+        [
+          (mkdir appConfigDir)
+          xdgConfigHome
+        ]
+        [
+          (mkdir appCacheDir)
+          xdgCacheHome
+        ]
+
+        (sloth.concat [
+          sloth.runtimeDir
+          "/"
+          (sloth.envOr "WAYLAND_DISPLAY" "no")
+        ])
+        (sloth.concat' sloth.runtimeDir "/at-spi/bus")
+        (sloth.concat' sloth.runtimeDir "/gvfsd")
+        (sloth.concat' sloth.runtimeDir "/dconf")
+
+        (sloth.concat' sloth.xdgCacheHome "/fontconfig")
+        (sloth.concat' sloth.xdgCacheHome "/mesa_shader_cache")
+        (sloth.concat' sloth.xdgCacheHome "/mesa_shader_cache_db")
+        (sloth.concat' sloth.xdgCacheHome "/radv_builtin_shaders")
+      ];
+      bind.ro = [
+        (sloth.concat' sloth.runtimeDir "/doc")
+        (sloth.concat' sloth.xdgConfigHome "/kdeglobals")
+        (sloth.concat' sloth.xdgConfigHome "/gtk-2.0")
+        (sloth.concat' sloth.xdgConfigHome "/gtk-3.0")
+        (sloth.concat' sloth.xdgConfigHome "/gtk-4.0")
+        (sloth.concat' sloth.xdgConfigHome "/fontconfig")
+        (sloth.concat' sloth.xdgConfigHome "/dconf")
+      ];
+      bind.dev = [ "/dev/shm" ] ++ (map (id: "/dev/video${toString id}") (lib.lists.range 0 9));
+    };
+  };
+}
@@ -5,21 +5,18 @@
  pkgs,
  sloth,
  ...
-}: let
+}:
+let
  envSuffix = envKey: suffix: sloth.concat' (sloth.env envKey) suffix;
  # cursor & icon's theme should be the same as the host's one.
  cursorTheme = pkgs.bibata-cursors;
  iconTheme = pkgs.papirus-icon-theme;
-in {
+in
+{
  config = {
    dbus.policies = {
      "${config.flatpak.appId}" = "own";
-      "org.freedesktop.DBus" = "talk";
-      "org.gtk.vfs.*" = "talk";
-      "org.gtk.vfs" = "talk";
-      "ca.desrt.dconf" = "talk";
-      "org.freedesktop.portal.*" = "talk";
-      "org.a11y.Bus" = "talk";
+      # we add other policies in ./common.nix
    };
    # https://github.com/nixpak/nixpak/blob/master/modules/gpu.nix
    # 1. bind readonly - /run/opengl-driver
@@ -64,14 +61,16 @@ in {
        (sloth.concat' sloth.xdgConfigHome "/fontconfig")

        "/etc/fonts" # for fontconfig
-        "/etc/machine-id"
-        "/etc/localtime"
+        "/etc/localtime" # this is a symlink to /etc/zoneinfo/xxx
+        "/etc/zoneinfo"

        # Fix: libEGL warning: egl: failed to create dri2 screen
        "/etc/egl"
        "/etc/static/egl"
      ];
      bind.dev = [
+        "/dev/shm" # Shared Memory
+
        # seems required when using nvidia as primary gpu
        "/dev/nvidia0"
        "/dev/nvidiactl"
@@ -79,16 +78,24 @@ in {
        "/dev/nvidia-uvm"
      ];

+      tmpfs = [
+        "/tmp"
+      ];
+
      env = {
-        XDG_DATA_DIRS = lib.mkForce (lib.makeSearchPath "share" [
-          iconTheme
-          cursorTheme
-          pkgs.shared-mime-info
-        ]);
-        XCURSOR_PATH = lib.mkForce (lib.concatStringsSep ":" [
-          "${cursorTheme}/share/icons"
-          "${cursorTheme}/share/pixmaps"
-        ]);
+        XDG_DATA_DIRS = lib.mkForce (
+          lib.makeSearchPath "share" [
+            iconTheme
+            cursorTheme
+            pkgs.shared-mime-info
+          ]
+        );
+        XCURSOR_PATH = lib.mkForce (
+          lib.concatStringsSep ":" [
+            "${cursorTheme}/share/icons"
+            "${cursorTheme}/share/pixmaps"
+          ]
+        );
      };
    };
  };
@@ -2,7 +2,7 @@
 {
  etc.sslCertificates.enable = true;
  bubblewrap = {
-    bind.ro = ["/etc/resolv.conf"];
+    bind.ro = [ "/etc/resolv.conf" ];
    network = true;
  };
 }
@@ -1,17 +0,0 @@
-{
-  makeDesktopItem,
-  qq,
-}:
-makeDesktopItem {
-  name = "qq";
-  desktopName = "QQ";
-  exec = "qq %U";
-  terminal = false;
-  # To find the icon name(nushell):
-  #   let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#qq.outPath | str trim --char '"'
-  #   tree $"($p)/share/icons"
-  icon = "${qq}/share/icons/hicolor/512x512/apps/qq.png";
-  type = "Application";
-  categories = ["Network"];
-  comment = "QQ boxed";
-}
@@ -5,56 +5,87 @@
 # - QQ's flatpak manifest: https://github.com/flathub/com.qq.QQ/blob/master/com.qq.QQ.yaml
 {
  lib,
-  pkgs,
+  qq,
  mkNixPak,
+  buildEnv,
+  makeDesktopItem,
  ...
 }:
-mkNixPak {
-  config = {sloth, ...}: {
-    app = {
-      package = pkgs.qq.override {
-        # fix fcitx5 input method
-        commandLineArgs = lib.concatStringsSep " " ["--enable-wayland-ime"];
-      };
-      binPath = "bin/qq";
-    };
-    flatpak.appId = "com.tencent.qq";

-    imports = [
-      ./modules/gui-base.nix
-      ./modules/network.nix
-    ];
+let
+  appId = "com.qq.QQ";

-    # list all dbus services:
-    #   ls -al /run/current-system/sw/share/dbus-1/services/
-    #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
-    dbus.policies = {
-      "org.gnome.Shell.Screencast" = "talk";
-      "org.freedesktop.Notifications" = "talk";
-      "org.kde.StatusNotifierWatcher" = "talk";
-    };
-    bubblewrap = {
-      # To trace all the home files QQ accesses, you can use the following nushell command:
-      #   just trace-access qq
-      # See the Justfile in the root of this repository for more information.
-      bind.rw = [
-        # given the read write permission to the following directories.
-        # NOTE: sloth.mkdir is used to create the directory if it does not exist!
-        (sloth.mkdir (sloth.concat [sloth.xdgConfigHome "/QQ"]))
-        (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/QQ"]))
-        sloth.xdgDownloadDir
-      ];
-      sockets = {
-        x11 = false;
-        wayland = true;
-        pipewire = true;
+  wrapped = mkNixPak {
+    config =
+      { sloth, ... }:
+      {
+        app = {
+          package = qq;
+          binPath = "bin/qq";
+        };
+        flatpak.appId = appId;
+
+        imports = [
+          ./modules/gui-base.nix
+          ./modules/network.nix
+          ./modules/common.nix
+        ];
+
+        # list all dbus services:
+        #   ls -al /run/current-system/sw/share/dbus-1/services/
+        #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
+        dbus.policies = {
+          "org.gnome.Shell.Screencast" = "talk";
+          # System tray icon
+          "org.freedesktop.Notifications" = "talk";
+          "org.kde.StatusNotifierWatcher" = "talk";
+          # File Manager
+          "org.freedesktop.FileManager1" = "talk";
+          # Uses legacy StatusNotifier implementation
+          "org.kde.*" = "own";
+        };
+        bubblewrap = {
+          # To trace all the home files QQ accesses, you can use the following nushell command:
+          #   just trace-access qq
+          # See the Justfile in the root of this repository for more information.
+          bind.rw = [
+            sloth.xdgDocumentsDir
+            sloth.xdgDownloadDir
+            sloth.xdgMusicDir
+            sloth.xdgVideosDir
+          ];
+          sockets = {
+            x11 = false;
+            wayland = true;
+            pipewire = true;
+          };
+        };
      };
-      bind.dev = [
-        "/dev/shm" # Shared Memory
-      ];
-      tmpfs = [
-        "/tmp"
-      ];
-    };
  };
+  exePath = lib.getExe wrapped.config.script;
+in
+buildEnv {
+  inherit (wrapped.config.script) name meta passthru;
+  paths = [
+    wrapped.config.script
+    (makeDesktopItem {
+      name = appId;
+      desktopName = "QQ";
+      genericName = "QQ Boxed";
+      comment = "Tencent QQ, also known as QQ, is an instant messaging software service and web portal developed by the Chinese technology company Tencent.";
+      exec = "${exePath} %U";
+      terminal = false;
+      icon = "${qq}/share/icons/hicolor/512x512/apps/qq.png";
+      startupNotify = true;
+      startupWMClass = "QQ";
+      type = "Application";
+      categories = [
+        "InstantMessaging"
+        "Network"
+      ];
+      extraConfig = {
+        X-Flatpak = appId;
+      };
+    })
+  ];
 }
@@ -0,0 +1,104 @@
+{
+  lib,
+  telegram-desktop,
+  buildEnv,
+  mkNixPak,
+  makeDesktopItem,
+  ...
+}:
+let
+  appId = "org.telegram.desktop";
+  wrapped = mkNixPak {
+    config =
+      { sloth, ... }:
+      {
+        imports = [
+          ./modules/gui-base.nix
+          ./modules/network.nix
+          ./modules/common.nix
+        ];
+        app.package = telegram-desktop;
+        flatpak = {
+          appId = appId;
+        };
+        dbus = {
+          enable = true;
+          policies = {
+            "org.gnome.Mutter.IdleMonitor" = "talk";
+            "org.freedesktop.Notifications" = "talk";
+            "org.kde.StatusNotifierWatcher" = "talk";
+            "com.canonical.AppMenu.Registrar" = "talk";
+            "com.canonical.indicator.application" = "talk";
+            "org.ayatana.indicator.application" = "talk";
+            "org.sigxcpu.Feedback" = "talk";
+          };
+        };
+
+        bubblewrap = {
+          bind.rw = [
+            sloth.xdgDocumentsDir
+            sloth.xdgDownloadDir
+            sloth.xdgMusicDir
+            sloth.xdgVideosDir
+          ];
+          sockets = {
+            x11 = false;
+            wayland = true;
+            pipewire = true;
+          };
+        };
+      };
+  };
+  exePath = lib.getExe wrapped.config.script;
+in
+buildEnv {
+  inherit (wrapped.config.script) name meta passthru;
+  paths = [
+    wrapped.config.script
+    (makeDesktopItem {
+      name = appId;
+      desktopName = "Telegram";
+      comment = "New era of messaging";
+      tryExec = "${exePath}";
+      exec = "${exePath} -- %u";
+      icon = appId;
+      startupNotify = true;
+      startupWMClass = appId;
+      terminal = false;
+      type = "Application";
+      categories = [
+        "Chat"
+        "Network"
+        "InstantMessaging"
+        "Qt"
+      ];
+      mimeTypes = [
+        "x-scheme-handler/tg"
+        "x-scheme-handler/tonsite"
+      ];
+      keywords = [
+        "tg"
+        "chat"
+        "im"
+        "messaging"
+        "messenger"
+        "sms"
+        "tdesktop"
+      ];
+      actions = {
+        quit = {
+          name = "Quit Telegram";
+          exec = "${exePath} -quit";
+          icon = "application-exit";
+        };
+      };
+      extraConfig = {
+        X-Flatpak = appId;
+        DBusActivatable = "true";
+        SingleMainWindow = "true";
+        X-GNOME-UsesNotifications = "true";
+        X-GNOME-SingleWindow = "true";
+      };
+    })
+  ];
+}
@@ -1,17 +0,0 @@
-{
-  makeDesktopItem,
-  wechat-uos,
-}:
-makeDesktopItem {
-  name = "wechat";
-  desktopName = "WeChat";
-  exec = "wechat-uos %U";
-  terminal = false;
-  # To find the icon name(nushell):
-  #   let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#wechat-uos.outPath | str trim --char '"'
-  #   tree $"($p)/share/icons"
-  icon = "${wechat-uos}/share/icons/hicolor/256x256/apps/com.tencent.wechat.png";
-  type = "Application";
-  categories = ["Network"];
-  comment = "Wechat boxed";
-}
@@ -1,73 +0,0 @@
-# TODO: wechat-uos is running in FHS sandbox by default, it's problematic
-#   to wrap it again via flatpak. We need to find a way to fix it.
-#   https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/we/wechat-uos/package.nix
-# Refer:
-# - Flatpak manifest's docs:
-#   - https://docs.flatpak.org/en/latest/manifests.html
-#   - https://docs.flatpak.org/en/latest/sandbox-permissions.html
-# - wechat-uos's flatpak manifest: https://github.com/flathub/com.tencent.WeChat/blob/master/com.tencent.WeChat.yaml
-{
-  lib,
-  pkgs,
-  mkNixPak,
-  ...
-}:
-mkNixPak {
-  config = {sloth, ...}: {
-    app = {
-      package = pkgs.wechat-uos;
-      binPath = "bin/wechat-uos";
-    };
-    flatpak.appId = "com.tencent.WeChat";
-
-    imports = [
-      ./modules/gui-base.nix
-      ./modules/network.nix
-    ];
-
-    # list all dbus services:
-    #   ls -al /run/current-system/sw/share/dbus-1/services/
-    #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
-    dbus.policies = {
-      "org.gnome.Shell.Screencast" = "talk";
-      # System tray icon
-      "org.freedesktop.Notifications" = "talk";
-      "org.kde.StatusNotifierWatcher" = "talk";
-      # File Manager
-      "org.freedesktop.FileManager1" = "talk";
-      # Uses legacy StatusNotifier implementation
-      "org.kde.*" = "own";
-    };
-    bubblewrap = {
-      # To trace all the home files QQ accesses, you can use the following nushell command:
-      #   just trace-access wechat-uos
-      # See the Justfile in the root of this repository for more information.
-      bind.rw = [
-        # given the read write permission to the following directories.
-        # NOTE: sloth.mkdir is used to create the directory if it does not exist!
-        (sloth.mkdir (sloth.concat [sloth.homeDir "/.xwechat"]))
-        (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/xwechat_files"]))
-        (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/WeChat_Data/"]))
-        sloth.xdgDownloadDir
-      ];
-      sockets = {
-        x11 = false;
-        wayland = true;
-        pipewire = true;
-      };
-      bind.dev = [
-        "/dev/shm" # Shared Memory
-      ];
-      tmpfs = [
-        "/tmp"
-      ];
-
-      env = {
-        # Hidpi scale
-        "QT_AUTO_SCREEN_SCALE_FACTOR" = "1";
-        # Only supports xcb
-        "QT_QPA_PLATFORM" = "kcb";
-      };
-    };
-  };
-}
@@ -1,4 +1,5 @@
-{modulesPath, ...}: {
+{ modulesPath, ... }:
+{
  imports = [
    (modulesPath + "/profiles/hardened.nix")
  ];
@@ -1,5 +1,49 @@
 # Home Manager's Submodules

-1. `base`: The base module that is suitable for both Linux and macOS.
-2. `linux`: Linux-specific configuration.
-3. `darwin`: macOS-specific configuration.
+This directory contains all Home Manager configurations organized by platform and functionality.
+
+## Current Structure
+
+```
+home/
+├── base/              # Cross-platform home manager configurations
+│   ├── core/          # Essential applications and settings
+│   │   ├── editors/   # Editor configurations (Neovim, Helix)
+│   │   ├── shells/    # Shell configurations (Nushell, Zellij)
+│   │   └── ...
+│   ├── gui/           # GUI applications and desktop settings
+│   │   ├── terminal/  # Terminal emulators (Kitty, Alacritty, etc.)
+│   │   └── ...
+│   ├── tui/           # Terminal/TUI applications
+│   │   ├── editors/   # TUI editors and related tools
+│   │   ├── encryption/ # GPG, password-store, etc.
+│   │   └── ...
+│   └── home.nix       # Main home manager entry point
+├── linux/             # Linux-specific home manager configurations
+│   ├── base/          # Linux base configurations
+│   ├── gui/           # Linux GUI applications
+│   │   ├── hyprland/  # Hyprland window manager
+│   │   ├── niri/      # Niri window manager
+│   │   └── ...
+│   ├── editors/       # Linux-specific editors
+│   └── ...
+└── darwin/            # macOS-specific home manager configurations
+    ├── aerospace/     # macOS window manager
+    ├── proxy/         # Proxy configurations
+    └── ...
+```
+
+## Module Overview
+
+1. **base**: The base module suitable for both Linux and macOS
+   - Cross-platform applications and settings
+   - Shared configurations for editors, shells, and essential tools
+
+2. **linux**: Linux-specific configuration
+   - Desktop environments (Hyprland, Niri)
+   - Linux-specific GUI applications
+   - System integration tools
+
+3. **darwin**: macOS-specific configuration
+   - macOS applications and services
+   - Platform-specific integrations (Aerospace, Squirrel, etc.)
@@ -1,5 +1,66 @@
 # Home Manager's Base Submodules

-1. `server`: Configuration which is suitable for both servers and desktops.
-1. `desktop`: Configuration for desktop environments, such as Hyprland, I3, etc.
-1. `core.nix`: Minimal home-manager's config
+This directory contains cross-platform base configurations that are shared between Linux and Darwin
+systems.
+
+## Configuration Structure
+
+### Core System
+
+- **core/**: Essential cross-platform configurations
+  - **core.nix**: Minimal home-manager configuration
+  - **shells/**: Shell configurations (bash, zsh, fish, nu)
+  - **editors/**: Text editor configurations
+    - **neovim/**: Neovim with custom plugins and settings
+    - **helix/**: Helix editor configuration
+  - **btop.nix**: System monitoring tools
+  - **git.nix**: Git configuration and aliases
+  - **npm.nix**: Node.js package management
+  - **pip.nix**: Python package management
+  - **starship.nix**: Cross-shell prompt configuration
+  - **theme.nix**: Color schemes and theming
+  - **yazi.nix**: Terminal file manager configuration
+  - **zellij/**: Terminal multiplexer with custom layouts
+
+### Desktop Environment
+
+- **gui/**: Cross-platform GUI applications and configurations
+  - **dev-tools.nix**: Development tools and IDEs
+  - **media.nix**: Media players and utilities
+  - **terminal/**: Terminal emulator configurations
+    - **alacritty/**: Alacritty terminal
+    - **kitty/**: Kitty terminal
+    - **foot/**: Foot terminal (Linux)
+    - **ghostty/**: Ghostty terminal
+
+### Terminal Interface
+
+- **tui/**: Terminal-based interface configurations
+  - **cloud/**: Cloud development tools (Terraform, etc.)
+  - **container.nix**: Container tools (Docker, Podman)
+  - **dev-tools.nix**: Terminal-based development tools
+  - **editors/**: Terminal editor configurations
+  - **encryption/**: Encryption and security tools
+  - **gpg/**: GPG key management
+  - **password-store/**: Password management with pass
+  - **shell.nix**: Shell environment configurations
+  - **ssh/**: SSH configuration and management
+  - **zellij/**: Terminal workspace management
+
+### System Management
+
+- **home.nix**: Main home manager configuration file
+
+## Platform Compatibility
+
+All configurations in this directory are designed to work across:
+
+- **Linux**: All distributions with Nix and Home Manager
+- **macOS**: Darwin systems with Home Manager
+- **WSL**: Windows Subsystem for Linux
+
+## Usage
+
+These base configurations provide the foundation for both Linux and Darwin systems, ensuring
+consistent environments across different platforms while allowing for platform-specific
+customizations.
@@ -1,16 +1,8 @@
 {
-  pkgs,
-  nur-ryan4yin,
-  ...
-}: {
-  # https://github.com/catppuccin/btop/blob/main/themes/catppuccin_mocha.theme
-  xdg.configFile."btop/themes".source = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-btop}/themes";
-
  # replacement of htop/nmon
  programs.btop = {
    enable = true;
    settings = {
-      color_theme = "catppuccin_mocha";
      theme_background = false; # make btop transparent
    };
  };
@@ -1,8 +1,5 @@
+{ pkgs, ... }:
 {
-  pkgs,
-  nur-ryan4yin,
-  ...
-}: {
  home.packages = with pkgs; [
    # Misc
    cowsay
@@ -16,7 +13,7 @@
    # search for files by name, faster than find
    fd
    # search for files by its content, replacement of grep
-    (ripgrep.override {withPCRE2 = true;})
+    (ripgrep.override { withPCRE2 = true; })

    # A fast and polyglot tool for code searching, linting, rewriting at large scale
    # supported languages: only some mainstream languages currently(do not support nix/nginx/yaml/toml/...)
@@ -25,8 +22,6 @@
    sad # CLI search and replace, just like sed, but with diff preview.
    yq-go # yaml processor https://github.com/mikefarah/yq
    just # a command runner like make, but simpler
-    delta # A viewer for git and diff output
-    lazygit # Git terminal UI.
    hyperfine # command-line benchmarking tool
    gping # ping, but with a graph(TUI)
    doggo # DNS client for humans
@@ -53,103 +48,75 @@
    ncdu # analyzer your disk usage Interactively, via TUI(replacement of `du`)
  ];

-  programs = {
-    # A modern replacement for ‘ls’
-    # useful in bash/zsh prompt, not in nushell.
-    eza = {
-      enable = true;
-      # do not enable aliases in nushell!
-      enableNushellIntegration = false;
-      git = true;
-      icons = "auto";
-    };
+  # A modern replacement for ‘ls’
+  # useful in bash/zsh prompt, not in nushell.
+  programs.eza = {
+    enable = true;
+    # do not enable aliases in nushell!
+    enableNushellIntegration = false;
+    git = true;
+    icons = "auto";
+  };

-    # a cat(1) clone with syntax highlighting and Git integration.
-    bat = {
-      enable = true;
-      config = {
-        pager = "less -FR";
-        theme = "catppuccin-mocha";
-      };
-      themes = {
-        # https://raw.githubusercontent.com/catppuccin/bat/main/Catppuccin-mocha.tmTheme
-        catppuccin-mocha = {
-          src = nur-ryan4yin.packages.${pkgs.system}.catppuccin-bat;
-          file = "Catppuccin-mocha.tmTheme";
-        };
-      };
-    };
-
-    # A command-line fuzzy finder
-    fzf = {
-      enable = true;
-      # https://github.com/catppuccin/fzf
-      # catppuccin-mocha
-      colors = {
-        "bg+" = "#313244";
-        "bg" = "#1e1e2e";
-        "spinner" = "#f5e0dc";
-        "hl" = "#f38ba8";
-        "fg" = "#cdd6f4";
-        "header" = "#f38ba8";
-        "info" = "#cba6f7";
-        "pointer" = "#f5e0dc";
-        "marker" = "#f5e0dc";
-        "fg+" = "#cdd6f4";
-        "prompt" = "#cba6f7";
-        "hl+" = "#f38ba8";
-      };
-    };
-
-    # very fast version of tldr in Rust
-    tealdeer = {
-      enable = true;
-      enableAutoUpdates = true;
-      settings = {
-        display = {
-          compact = false;
-          use_pager = true;
-        };
-        updates = {
-          auto_update = false;
-          auto_update_interval_hours = 720;
-        };
-      };
-    };
-
-    # zoxide is a smarter cd command, inspired by z and autojump.
-    # It remembers which directories you use most frequently,
-    # so you can "jump" to them in just a few keystrokes.
-    # zoxide works on all major shells.
-    #
-    #   z foo              # cd into highest ranked directory matching foo
-    #   z foo bar          # cd into highest ranked directory matching foo and bar
-    #   z foo /            # cd into a subdirectory starting with foo
-    #
-    #   z ~/foo            # z also works like a regular cd command
-    #   z foo/             # cd into relative path
-    #   z ..               # cd one level up
-    #   z -                # cd into previous directory
-    #
-    #   zi foo             # cd with interactive selection (using fzf)
-    #
-    #   z foo<SPACE><TAB>  # show interactive completions (zoxide v0.8.0+, bash 4.4+/fish/zsh only)
-    zoxide = {
-      enable = true;
-      enableBashIntegration = true;
-      enableZshIntegration = true;
-      enableNushellIntegration = true;
-    };
-
-    # Atuin replaces your existing shell history with a SQLite database,
-    # and records additional context for your commands.
-    # Additionally, it provides optional and fully encrypted
-    # synchronisation of your history between machines, via an Atuin server.
-    atuin = {
-      enable = true;
-      enableBashIntegration = true;
-      enableZshIntegration = true;
-      enableNushellIntegration = true;
+  # a cat(1) clone with syntax highlighting and Git integration.
+  programs.bat = {
+    enable = true;
+    config = {
+      pager = "less -FR";
    };
  };
+
+  # A command-line fuzzy finder
+  programs.fzf.enable = true;
+
+  # very fast version of tldr in Rust
+  programs.tealdeer = {
+    enable = true;
+    enableAutoUpdates = true;
+    settings = {
+      display = {
+        compact = false;
+        use_pager = true;
+      };
+      updates = {
+        auto_update = false;
+        auto_update_interval_hours = 720;
+      };
+    };
+  };
+
+  # zoxide is a smarter cd command, inspired by z and autojump.
+  # It remembers which directories you use most frequently,
+  # so you can "jump" to them in just a few keystrokes.
+  # zoxide works on all major shells.
+  #
+  #   z foo              # cd into highest ranked directory matching foo
+  #   z foo bar          # cd into highest ranked directory matching foo and bar
+  #   z foo /            # cd into a subdirectory starting with foo
+  #
+  #   z ~/foo            # z also works like a regular cd command
+  #   z foo/             # cd into relative path
+  #   z ..               # cd one level up
+  #   z -                # cd into previous directory
+  #
+  #   zi foo             # cd with interactive selection (using fzf)
+  #
+  #   z foo<SPACE><TAB>  # show interactive completions (zoxide v0.8.0+, bash 4.4+/fish/zsh only)
+  programs.zoxide = {
+    enable = true;
+    enableBashIntegration = true;
+    enableZshIntegration = true;
+    enableNushellIntegration = true;
+  };
+
+  # Atuin replaces your existing shell history with a SQLite database,
+  # and records additional context for your commands.
+  # Additionally, it provides optional and fully encrypted
+  # synchronisation of your history between machines, via an Atuin server.
+  programs.atuin = {
+    enable = true;
+    enableBashIntegration = true;
+    enableZshIntegration = true;
+    enableNushellIntegration = true;
+  };
 }
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
+{
  imports = mylib.scanPaths ./.;
 }
@@ -1,3 +1,10 @@
 # Editors

-See [desktop/editors/](../../desktop/editors/) for more details.
+This directory contains editor configurations that are shared across different environments.
+
+## Available Editors
+
+- **neovim/**: Neovim configuration with AstroNvim
+- **helix/**: Helix editor configuration
+
+These configurations are designed to work across both terminal and GUI environments.
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
+{
  imports = mylib.scanPaths ./.;
 }
@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
+{
  programs.helix = {
    enable = true;
  };
@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
+{
  programs = {
    neovim = {
      enable = true;
@@ -4,17 +4,37 @@
  pkgs,
  myvars,
  ...
-}: {
+}:
+{
  # `programs.git` will generate the config file: ~/.config/git/config
  # to make git use this config file, `~/.gitconfig` should not exist!
  #
  #    https://git-scm.com/docs/git-config#Documentation/git-config.txt---global
-  home.activation.removeExistingGitconfig = lib.hm.dag.entryBefore ["checkLinkTargets"] ''
+  home.activation.removeExistingGitconfig = lib.hm.dag.entryBefore [ "checkLinkTargets" ] ''
    rm -f ${config.home.homeDirectory}/.gitconfig
  '';

-  home.packages = with pkgs; [
-  ];
+  # GitHub CLI tool
+  # https://cli.github.com/manual/
+  programs.gh = {
+    enable = true;
+    settings = {
+      git_protocol = "ssh";
+      prompt = "enabled";
+      aliases = {
+        co = "pr checkout";
+        pv = "pr view";
+      };
+    };
+    hosts = {
+      "github.com" = {
+        "users" = {
+          "ryan4yin" = null;
+        };
+        "user" = "ryan4yin";
+      };
+    };
+  };

  programs.git = {
    enable = true;
@@ -36,6 +56,7 @@
      trim.bases = "develop,master,main"; # for git-trim
      push.autoSetupRemote = true;
      pull.rebase = true;
+      log.date = "iso"; # use iso format for date

      # replace https with ssh
      url = {
@@ -56,7 +77,7 @@
    #   signByDefault = true;
    # };

-    # A syntax-highlighting pager in Rust(2019 ~ Now)
+    # A syntax-highlighting pager for git, diff, grep, and blame output
    delta = {
      enable = true;
      options = {
@@ -96,4 +117,10 @@
      foreach = "submodule foreach";
    };
  };
+
+  # Git terminal UI (written in go).
+  programs.lazygit.enable = true;
+
+  # Yet another Git TUI (written in rust).
+  programs.gitui.enable = true;
 }
@@ -0,0 +1,10 @@
+{ config, ... }:
+{
+  # make `npm install -g <pkg>` happey
+  #
+  # mainly used to install npm packages that updates frequently
+  # such as gemini-cli, claude-code, etc.
+  home.file.".npmrc".text = ''
+    prefix=${config.home.homeDirectory}/.npm
+  '';
+}
@@ -1,3 +1,8 @@
+# Based on the default config generated by:
+#    ```
+#    config nu --default
+#    ```
+#
 # Nushell Config File Documentation
 #
 # Warning: This file is intended for documentation purposes only and
@@ -1,8 +1,5 @@
-{
-  config,
-  pkgs-unstable,
-  ...
-}: let
+{ config, ... }:
+let
  shellAliases = {
    k = "kubectl";

@@ -13,22 +10,25 @@
  localBin = "${config.home.homeDirectory}/.local/bin";
  goBin = "${config.home.homeDirectory}/go/bin";
  rustBin = "${config.home.homeDirectory}/.cargo/bin";
-in {
-  # only works in bash/zsh, not nushell
-  home.shellAliases = shellAliases;
-
-  programs.nushell = {
-    enable = true;
-    package = pkgs-unstable.nushell;
-    configFile.source = ./config.nu;
-    inherit shellAliases;
-  };
-
+  npmBin = "${config.home.homeDirectory}/.npm/bin";
+in
+{
  programs.bash = {
    enable = true;
    enableCompletion = true;
    bashrcExtra = ''
-      export PATH="$PATH:${localBin}:${goBin}:${rustBin}"
+      export PATH="$PATH:${localBin}:${goBin}:${rustBin}:${npmBin}"
    '';
  };
+
+  # NOTE: only works in bash/zsh, not nushell
+  home.shellAliases = shellAliases;
+
+  # NOTE: nushell will be launched in bash, so it can inherit all the eenvironment variables.
+  programs.nushell = {
+    enable = true;
+    # package = pkgs-unstable.nushell;
+    configFile.source = ./config.nu;
+    inherit shellAliases;
+  };
 }
@@ -1,8 +1,4 @@
 {
-  pkgs,
-  nur-ryan4yin,
-  ...
-}: {
  programs.starship = {
    enable = true;

@@ -10,24 +6,24 @@
    enableZshIntegration = true;
    enableNushellIntegration = true;

-    settings =
-      {
-        character = {
-          success_symbol = "[›](bold green)";
-          error_symbol = "[›](bold red)";
-        };
-        aws = {
-          symbol = "🅰 ";
-        };
-        gcloud = {
-          # do not show the account/project's info
-          # to avoid the leak of sensitive information when sharing the terminal
-          format = "on [$symbol$active(\($region\))]($style) ";
-          symbol = "🅶 ️";
-        };
+    # https://starship.rs/config/
+    settings = {
+      # Get editor completions based on the config schema
+      "$schema" = "https://starship.rs/config-schema.json";
+      character = {
+        success_symbol = "[➜](bold green)";
+        error_symbol = "[➜](bold red)";
+      };
+      # I never rely on the defaults, so this module is useless to me—disabled.
+      # I prefer adding --project, --region to very gcloud/aws command.
+      aws.disabled = true;
+      gcloud.disabled = true;

-        palette = "catppuccin_mocha";
-      }
-      // builtins.fromTOML (builtins.readFile "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-starship}/palettes/mocha.toml");
+      kubernetes = {
+        symbol = "⛵";
+        disabled = false;
+      };
+      os.disabled = false;
+    };
  };
 }
@@ -0,0 +1,16 @@
+{ catppuccin, ... }:
+{
+  # https://github.com/catppuccin/nix
+  imports = [
+    catppuccin.homeModules.catppuccin
+  ];
+
+  catppuccin = {
+    # The default `enable` value for all available programs.
+    enable = true;
+    # one of "latte", "frappe", "macchiato", "mocha"
+    flavor = "mocha";
+    # one of "blue", "flamingo", "green", "lavender", "maroon", "mauve", "peach", "pink", "red", "rosewater", "sapphire", "sky", "teal", "yellow"
+    accent = "pink";
+  };
+}
@@ -1,13 +1,9 @@
+{ pkgs, ... }:
 {
-  pkgs,
-  pkgs-unstable,
-  nur-ryan4yin,
-  ...
-}: {
  # terminal file manager
  programs.yazi = {
    enable = true;
-    package = pkgs-unstable.yazi;
+    package = pkgs.yazi;
    # Changing working directory when exiting Yazi
    enableBashIntegration = true;
    enableNushellIntegration = true;
@@ -18,6 +14,4 @@
      };
    };
  };
-
-  xdg.configFile."yazi/theme.toml".source = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-yazi}/mocha.toml";
 }
@@ -2,7 +2,8 @@ let
  shellAliases = {
    "zj" = "zellij";
  };
-in {
+in
+{
  programs.zellij = {
    enable = true;
  };
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
+{
  imports = mylib.scanPaths ./.;
 }
@@ -1,10 +1,19 @@
-{pkgs, ...}: {
-  home.packages = with pkgs; [
-    mitmproxy # http/https proxy tool
-    insomnia # REST client
-    wireshark # network analyzer
+{ pkgs, ... }:
+{
+  home.packages =
+    with pkgs;
+    [
+      mitmproxy # http/https proxy tool
+      wireshark # network analyzer

-    # IDEs
-    # jetbrains.idea-community
-  ];
+      # IDEs
+      # jetbrains.idea-community
+
+      # AI cli tools
+      k8sgpt
+      kubectl-ai # an ai helper opensourced by google
+    ]
+    ++ (lib.optionals pkgs.stdenv.isx86_64 [
+      insomnia # REST client
+    ]);
 }
@@ -1,65 +0,0 @@
-[colors.primary]
-background = "#1e1e2e"
-foreground = "#cdd6f4"
-dim_foreground = "#7f849c"
-bright_foreground = "#cdd6f4"
-
-[colors.cursor]
-text = "#1e1e2e"
-cursor = "#f5e0dc"
-
-[colors.vi_mode_cursor]
-text = "#1e1e2e"
-cursor = "#b4befe"
-
-[colors.search.matches]
-foreground = "#1e1e2e"
-background = "#a6adc8"
-
-[colors.search.focused_match]
-foreground = "#1e1e2e"
-background = "#a6e3a1"
-
-[colors.footer_bar]
-foreground = "#1e1e2e"
-background = "#a6adc8"
-
-[colors.hints.start]
-foreground = "#1e1e2e"
-background = "#f9e2af"
-
-[colors.hints.end]
-foreground = "#1e1e2e"
-background = "#a6adc8"
-
-[colors.selection]
-text = "#1e1e2e"
-background = "#f5e0dc"
-
-[colors.normal]
-black = "#45475a"
-red = "#f38ba8"
-green = "#a6e3a1"
-yellow = "#f9e2af"
-blue = "#89b4fa"
-magenta = "#f5c2e7"
-cyan = "#94e2d5"
-white = "#bac2de"
-
-[colors.bright]
-black = "#585b70"
-red = "#f38ba8"
-green = "#a6e3a1"
-yellow = "#f9e2af"
-blue = "#89b4fa"
-magenta = "#f5c2e7"
-cyan = "#94e2d5"
-white = "#a6adc8"
-
-[[colors.indexed_colors]]
-index = 16
-color = "#fab387"
-
-[[colors.indexed_colors]]
-index = 17
-color = "#f5e0dc"
@@ -26,36 +26,43 @@
 {
  programs.alacritty = {
    enable = true;
-    package = pkgs-unstable.alacritty;
+    # package = pkgs-unstable.alacritty;
    # https://alacritty.org/config-alacritty.html
    settings = {
-      general.import = [
-        ./catppuccin-mocha.toml
-      ];
      window = {
        opacity = 0.93;
        startup_mode = "Maximized"; # Maximized window
        dynamic_title = true;
        option_as_alt = "Both"; # Option key acts as Alt on macOS
+        decorations = "None"; # Show neither borders nor title bar
      };
      scrolling = {
        history = 10000;
      };
      font = {
-        bold = {family = "JetBrainsMono Nerd Font";};
-        italic = {family = "JetBrainsMono Nerd Font";};
-        normal = {family = "JetBrainsMono Nerd Font";};
-        bold_italic = {family = "JetBrainsMono Nerd Font";};
-        size =
-          if pkgs.stdenv.isDarwin
-          then 14
-          else 13;
+        bold = {
+          family = "Maple Mono NF CN";
+        };
+        italic = {
+          family = "Maple Mono NF CN";
+        };
+        normal = {
+          family = "Maple Mono NF CN";
+        };
+        bold_italic = {
+          family = "Maple Mono NF CN";
+        };
+        size = if pkgs.stdenv.isDarwin then 14 else 13;
      };
      terminal = {
        # Spawn a nushell in login mode via `bash`
        shell = {
          program = "${pkgs.bash}/bin/bash";
-          args = ["--login" "-c" "nu --login --interactive"];
+          args = [
+            "--login"
+            "-c"
+            "nu --login --interactive"
+          ];
        };
        # Controls the ability to write to the system clipboard with the OSC 52 escape sequence.
        # It's used by zellij to copy text to the system clipboard.
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
+{
  imports = mylib.scanPaths ./.;
 }
@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
+{
  programs.foot = {
    # foot is designed only for Linux
    enable = pkgs.stdenv.isLinux;
@@ -16,8 +17,8 @@
    settings = {
      main = {
        term = "foot"; # or "xterm-256color" for maximum compatibility
-        font = "JetBrainsMono Nerd Font:size=14";
-        dpi-aware = "yes";
+        font = "Maple Mono NF CN:size=14";
+        dpi-aware = "no"; # scale via window manager instead

        # Spawn a nushell in login mode via `bash`
        shell = "${pkgs.bash}/bin/bash --login -c 'nu --login --interactive'";
@@ -26,47 +27,6 @@
      mouse = {
        hide-when-typing = "yes";
      };
-
-      # https://github.com/catppuccin/foot/blob/main/themes/catppuccin-mocha.ini
-      cursor = {
-        color = "11111b f5e0dc";
-      };
-      colors = {
-        alpha = "0.93"; # background opacity
-
-        foreground = "cdd6f4";
-        background = "1e1e2e";
-
-        regular0 = "45475a";
-        regular1 = "f38ba8";
-        regular2 = "a6e3a1";
-        regular3 = "f9e2af";
-        regular4 = "89b4fa";
-        regular5 = "f5c2e7";
-        regular6 = "94e2d5";
-        regular7 = "bac2de";
-
-        bright0 = "585b70";
-        bright1 = "f38ba8";
-        bright2 = "a6e3a1";
-        bright3 = "f9e2af";
-        bright4 = "89b4fa";
-        bright5 = "f5c2e7";
-        bright6 = "94e2d5";
-        bright7 = "a6adc8";
-
-        "16" = "fab387";
-        "17" = "f5e0dc";
-
-        "selection-foreground" = "cdd6f4";
-        "selection-background" = "414356";
-
-        "search-box-no-match" = "11111b f38ba8";
-        "search-box-match" = "cdd6f4 313244";
-
-        "jump-labels" = "11111b fab387";
-        urls = "89b4fa";
-      };
    };
  };
 }
@@ -12,17 +12,16 @@
  programs.ghostty = {
    enable = true;
    package =
-      if pkgs.stdenv.isDarwin
-      then pkgs.hello # pkgs.ghostty is currently broken on darwin
-      else pkgs.ghostty; # the stable version
+      if pkgs.stdenv.isDarwin then
+        pkgs.hello # pkgs.ghostty is currently broken on darwin
+      else
+        pkgs.ghostty; # the stable version
    # package = ghostty.packages.${pkgs.system}.default; # the latest version
    enableBashIntegration = false;
    installBatSyntax = false;
    # installVimSyntax = true;
    settings = {
-      theme = "catppuccin-mocha";
-
-      font-family = "JetBrains Mono";
+      font-family = "Maple Mono NF CN";
      font-size = 13;

      background-opacity = 0.93;
@@ -16,17 +16,10 @@
 {
  programs.kitty = {
    enable = true;
-    # kitty has catppuccin theme built-in,
-    # all the built-in themes are packaged into an extra package named `kitty-themes`
-    # and it's installed by home-manager if `theme` is specified.
-    themeFile = "Catppuccin-Mocha";
    font = {
-      name = "JetBrainsMono Nerd Font";
+      name = "Maple Mono NF CN";
      # use different font size on macOS
-      size =
-        if pkgs.stdenv.isDarwin
-        then 14
-        else 13;
+      size = if pkgs.stdenv.isDarwin then 14 else 13;
    };

    # consistent with other terminal emulators
@@ -36,6 +29,10 @@
    };

    settings = {
+      # do not show title bar & window title
+      hide_window_decorations = "titlebar-and-corners";
+      macos_show_window_title_in = "none";
+
      background_opacity = "0.93";
      macos_option_as_alt = true; # Option key acts as Alt on macOS
      enable_audio_bell = false;
@@ -48,6 +45,6 @@
    };

    # macOS specific settings
-    darwinLaunchOptions = ["--start-as=maximized"];
+    darwinLaunchOptions = [ "--start-as=maximized" ];
  };
 }
@@ -1,4 +1,5 @@
-{myvars, ...}: {
+{ myvars, ... }:
+{
  # Home Manager needs a bit of information about you and the
  # paths it should manage.
  home = {
@@ -2,7 +2,8 @@
  lib,
  pkgs,
  ...
-}: {
+}:
+{
  # https://developer.hashicorp.com/terraform/cli/config/config-file
  home.file.".terraformrc".source = ./terraformrc;

@@ -30,9 +31,12 @@
    # digitalocean
    doctl
    # google cloud
-    (google-cloud-sdk.withExtraComponents (with google-cloud-sdk.components; [
-      gke-gcloud-auth-plugin
-    ]))
+    (google-cloud-sdk.withExtraComponents (
+      with google-cloud-sdk.components;
+      [
+        gke-gcloud-auth-plugin
+      ]
+    ))

    # cloud tools that nix do not have cache for.
    terraform
@@ -1,11 +1,12 @@
 {
  pkgs,
-  pkgs-unstable,
+  pkgs-stable,
  nur-ryan4yin,
  ...
-}: {
+}:
+{
  home.packages = with pkgs; [
-    docker-compose
+    podman-compose
    dive # explore docker layers
    lazydocker # Docker terminal UI.
    skopeo # copy/sync images between registries and local storage
@@ -13,50 +14,29 @@

    kubectl
    kubectx # kubectx & kubens
+    kubie # same as kubectl-ctx, but per-shell (won’t touch kubeconfig).
    kubectl-view-secret # kubectl view-secret
    kubectl-tree # kubectl tree
    kubectl-node-shell # exec into node
    kubepug # kubernetes pre upgrade checker
-    k8sgpt
-    nur-ryan4yin.packages.${pkgs.system}.kubectl-ai # an ai helper opensourced by google
+    kubectl-cnpg # cloudnative-pg's cli tool

    kubebuilder
    istioctl
    clusterctl # for kubernetes cluster-api
    kubevirt # virtctl
-    kubernetes-helm
+    pkgs-stable.kubernetes-helm
    fluxcd
    argocd

    ko # build go project to container image
  ];

-  programs = {
-    k9s = {
-      enable = true;
-      # https://k9scli.io/topics/aliases/
-      # aliases = {};
-      settings = {
-        skin = "catppuccino-mocha";
-      };
-      skins.catppuccin-mocha = let
-        skin_file = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-k9s}/dist/mocha.yml"; # theme - catppuccin mocha
-        skin_attr = builtins.fromJSON (
-          builtins.readFile
-          # replace 'base: &base "#1e1e2e"' with 'base: &base "default"'
-          # to make fg/bg color transparent. "default" means transparent in k9s skin.
-          (pkgs.runCommandNoCC "get-skin-json" {} ''
-            cat ${skin_file} \
-              |  sed -E 's@(base: &base ).+@\1 "default"@g' \
-              | ${pkgs.yj}/bin/yj > $out
-          '')
-        );
-      in
-        skin_attr;
-    };
-    kubecolor = {
-      enable = true;
-      enableAlias = true;
-    };
+  programs.k9s.enable = true;
+  catppuccin.k9s.transparent = true;
+
+  programs.kubecolor = {
+    enable = true;
+    enableAlias = true;
  };
 }
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
+{
  imports = mylib.scanPaths ./.;
 }
@@ -2,7 +2,8 @@
  pkgs,
  pkgs-unstable,
  ...
-}: {
+}:
+{
  #############################################################
  #
  #  Basic settings for development environment
@@ -17,9 +18,11 @@
  home.packages = with pkgs; [
    colmena # nixos's remote deployment tool

+    tokei # count lines of code, alternative to cloc
+
    # db related
-    pkgs-unstable.mycli
-    pkgs-unstable.pgcli
+    mycli
+    pgcli
    mongosh
    sqlite

@@ -27,13 +30,12 @@
    minicom

    # ai related
-    pkgs-unstable.python313Packages.huggingface-hub # huggingface-cli
+    python313Packages.huggingface-hub # huggingface-cli

    # misc
-    pkgs-unstable.devbox
+    devbox
    bfg-repo-cleaner # remove large files from git history
    k6 # load testing tool
-    protobuf # protocol buffer compiler

    # solve coding extercises - learn by doing
    exercism
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
+{
  imports = mylib.scanPaths ./.;
 }
@@ -1,16 +1,9 @@
+{ pkgs, ... }:
 {
-  pkgs,
-  nur-ryan4yin,
-  ...
-}: {
-  # https://github.com/catppuccin/helix
-  xdg.configFile."helix/themes".source = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-helix}/themes/default";
-
  programs.helix = {
    enable = true;
    package = pkgs.helix;
    settings = {
-      theme = "catppuccin_mocha";
      editor = {
        line-number = "relative";
        cursorline = true;
@@ -29,7 +22,10 @@
          w = ":w";
          q = ":q";
        };
-        esc = ["collapse_selection" "keep_primary_selection"];
+        esc = [
+          "collapse_selection"
+          "keep_primary_selection"
+        ];
      };
    };
  };
@@ -18,57 +18,64 @@ let
  # the path to nvim directory
  # to make this symlink work, we need to git clone this repo to your home directory.
  configPath = "${config.home.homeDirectory}/nix-config/home/base/tui/editors/neovim/nvim";
-in {
+in
+{
  xdg.configFile."nvim".source = config.lib.file.mkOutOfStoreSymlink configPath;
+  # Disable catppuccin to avoid conflict with my non-nix config.
+  catppuccin.nvim.enable = false;

  home.shellAliases = shellAliases;
  programs.nushell.shellAliases = shellAliases;

-  programs = {
-    neovim = {
-      enable = true;
-      package = pkgs-unstable.neovim-unwrapped;
+  programs.neovim = {
+    enable = true;
+    package = pkgs-unstable.neovim-unwrapped;

-      # defaultEditor = true; # set EDITOR at system-wide level
-      viAlias = true;
-      vimAlias = true;
+    # defaultEditor = true; # set EDITOR at system-wide level
+    viAlias = true;
+    vimAlias = true;

-      # These environment variables are needed to build and run binaries
-      # with external package managers like mason.nvim.
-      #
-      # LD_LIBRARY_PATH is also needed to run the non-FHS binaries downloaded by mason.nvim.
-      # it will be set by nix-ld, so we do not need to set it here again.
-      extraWrapperArgs = with pkgs; [
-        # LIBRARY_PATH is used by gcc before compilation to search directories
-        # containing static and shared libraries that need to be linked to your program.
-        "--suffix"
-        "LIBRARY_PATH"
-        ":"
-        "${lib.makeLibraryPath [stdenv.cc.cc zlib]}"
+    # These environment variables are needed to build and run binaries
+    # with external package managers like mason.nvim.
+    #
+    # LD_LIBRARY_PATH is also needed to run the non-FHS binaries downloaded by mason.nvim.
+    # it will be set by nix-ld, so we do not need to set it here again.
+    extraWrapperArgs = with pkgs; [
+      # LIBRARY_PATH is used by gcc before compilation to search directories
+      # containing static and shared libraries that need to be linked to your program.
+      "--suffix"
+      "LIBRARY_PATH"
+      ":"
+      "${lib.makeLibraryPath [
+        stdenv.cc.cc
+        zlib
+      ]}"

-        # PKG_CONFIG_PATH is used by pkg-config before compilation to search directories
-        # containing .pc files that describe the libraries that need to be linked to your program.
-        "--suffix"
-        "PKG_CONFIG_PATH"
-        ":"
-        "${lib.makeSearchPathOutput "dev" "lib/pkgconfig" [stdenv.cc.cc zlib]}"
-      ];
+      # PKG_CONFIG_PATH is used by pkg-config before compilation to search directories
+      # containing .pc files that describe the libraries that need to be linked to your program.
+      "--suffix"
+      "PKG_CONFIG_PATH"
+      ":"
+      "${lib.makeSearchPathOutput "dev" "lib/pkgconfig" [
+        stdenv.cc.cc
+        zlib
+      ]}"
+    ];

-      # Currently we use lazy.nvim as neovim's package manager, so comment this one.
-      #
-      # NOTE: These plugins will not be used by astronvim by default!
-      # We should install packages that will compile locally or download FHS binaries via Nix!
-      # and use lazy.nvim's `dir` option to specify the package directory in nix store.
-      # so that these plugins can work on NixOS.
-      #
-      # related project:
-      #  https://github.com/b-src/lazy-nix-helper.nvim
-      plugins = with pkgs.vimPlugins; [
-        # search all the plugins using https://search.nixos.org/packages
-        telescope-fzf-native-nvim
+    # Currently we use lazy.nvim as neovim's package manager, so comment this one.
+    #
+    # NOTE: These plugins will not be used by astronvim by default!
+    # We should install packages that will compile locally or download FHS binaries via Nix!
+    # and use lazy.nvim's `dir` option to specify the package directory in nix store.
+    # so that these plugins can work on NixOS.
+    #
+    # related project:
+    #  https://github.com/b-src/lazy-nix-helper.nvim
+    plugins = with pkgs.vimPlugins; [
+      # search all the plugins using https://search.nixos.org/packages
+      telescope-fzf-native-nvim

-        nvim-treesitter.withAllGrammars
-      ];
-    };
+      nvim-treesitter.withAllGrammars
+    ];
  };
 }
@@ -2,101 +2,137 @@
  "AstroNvim": { "branch": "main", "commit": "c5e610f614e74c9dd9bf11760c4d0ad2c98c0abe" },
  "Comment.nvim": { "branch": "master", "commit": "e30b7f2008e52442154b66f7c519bfd2f1e32acb" },
  "LuaSnip": { "branch": "master", "commit": "458560534a73f7f8d7a11a146c801db00b081df0" },
-  "SchemaStore.nvim": { "branch": "main", "commit": "6c52c57432280c54596feb0c0958e1a6cb546f4d" },
  "aerial.nvim": { "branch": "master", "commit": "3284a2cb858ba009c79da87d5e010ccee3c99c4d" },
  "alpha-nvim": { "branch": "main", "commit": "de72250e054e5e691b9736ee30db72c65d560771" },
-  "astrocommunity": { "branch": "main", "commit": "16231a665146b0fe70593dd450afd6e964a3cbe1" },
+  "astrocommunity": { "branch": "main", "commit": "2db3ee2ce37f9e2bc9e6ea2c3e2e6292ca4d33bf" },
  "astrocore": { "branch": "main", "commit": "44a3dc0bf1591022b2a6bc89dccdfac1be17bec9" },
  "astrolsp": { "branch": "main", "commit": "909fbe64f3f87d089ff3777751261544557117cc" },
  "astrotheme": { "branch": "main", "commit": "f12dcf64b1f9a05839c3ac2146f550f43bae9dab" },
  "astroui": { "branch": "main", "commit": "e923a84c488d879a260fc9cfb2dc27dd870fb6ac" },
  "autosave.nvim": { "branch": "main", "commit": "348f72cf0241e3e736e3396c4834def2f8ef8d10" },
-  "avante.nvim": { "branch": "main", "commit": "bc403ddcbf98c4181ee2a7efd35cd1e18a2fdc5c" },
-  "catppuccin": { "branch": "main", "commit": "a0c769bc7cd04bbbf258b3d5f01e2bdce744108d" },
-  "clangd_extensions.nvim": { "branch": "main", "commit": "db28f29be928d18cbfb86fbfb9f83f584f658feb" },
-  "cmake-tools.nvim": { "branch": "master", "commit": "591ae37fc5494677e929118f0a182d2b61fe1af1" },
+  "avante.nvim": { "branch": "main", "commit": "508cc4c22c78d565d270df8dec5449db07800296" },
+  "catppuccin": { "branch": "main", "commit": "fa42eb5e26819ef58884257d5ae95dd0552b9a66" },
+  "clangd_extensions.nvim": {
+    "branch": "main",
+    "commit": "db28f29be928d18cbfb86fbfb9f83f584f658feb"
+  },
+  "cmake-tools.nvim": { "branch": "master", "commit": "17244215b1a96e4b2a83a16abd6719197f270f96" },
  "cmp-buffer": { "branch": "main", "commit": "3022dbc9166796b644a841a02de8dd1cc1d311fa" },
  "cmp-conjure": { "branch": "master", "commit": "8c9a88efedc0e5bf3165baa6af8a407afe29daf6" },
  "cmp-dap": { "branch": "master", "commit": "ea92773e84c0ad3288c3bc5e452ac91559669087" },
  "cmp-nvim-lsp": { "branch": "main", "commit": "99290b3ec1322070bcfb9e846450a46f6efa50f0" },
  "cmp-path": { "branch": "main", "commit": "91ff86cd9c29299a64f968ebb45846c485725f23" },
  "cmp_luasnip": { "branch": "master", "commit": "98d9cb5c2c38532bd9bdb481067b20fea8f32e90" },
-  "conjure": { "branch": "main", "commit": "83c6394f916197d73f2a19538bd5615e08842d10" },
+  "conjure": { "branch": "main", "commit": "5f15eb0322b5530eefb16457c061e7c2ccd7cf13" },
  "crates.nvim": { "branch": "main", "commit": "5d8b1bef686db0fabe5f1bb593744b617e8f1405" },
  "deno-nvim": { "branch": "master", "commit": "5a2f9205df5539c4a0696e73893bf8d1b0cae406" },
  "dressing.nvim": { "branch": "master", "commit": "3a45525bb182730fe462325c99395529308f431e" },
  "flash.nvim": { "branch": "main", "commit": "3c942666f115e2811e959eabbdd361a025db8b63" },
  "flit.nvim": { "branch": "main", "commit": "1ef72de6a02458d31b10039372c8a15ab8989e0d" },
  "friendly-snippets": { "branch": "main", "commit": "efff286dd74c22f731cdec26a70b46e5b203c619" },
-  "fzf-lua": { "branch": "main", "commit": "3de691fafd097177d10ebffb91dec5bec2cb30ed" },
+  "fzf-lua": { "branch": "main", "commit": "a4404dee0a65d3c2e2b292206d10b16567d088c9" },
  "gitsigns.nvim": { "branch": "main", "commit": "7010000889bfb6c26065e0b0f7f1e6aa9163edd9" },
-  "gopher.nvim": { "branch": "main", "commit": "9db5931af1293ae52500921d92c02145d86df02c" },
+  "gopher.nvim": { "branch": "main", "commit": "de585144ebde9f0516fb9b542dd42e90c7835b59" },
  "goto-preview": { "branch": "main", "commit": "d1faf6ea992b5bcaaaf2c682e1aba3131a01143e" },
  "guess-indent.nvim": { "branch": "main", "commit": "6cd61f7a600bb756e558627cd2e740302c58e32d" },
  "heirline.nvim": { "branch": "master", "commit": "fae936abb5e0345b85c3a03ecf38525b0828b992" },
-  "indent-blankline.nvim": { "branch": "master", "commit": "005b56001b2cb30bfa61b7986bc50657816ba4ba" },
+  "indent-blankline.nvim": {
+    "branch": "master",
+    "commit": "005b56001b2cb30bfa61b7986bc50657816ba4ba"
+  },
  "lazy.nvim": { "branch": "main", "commit": "6c3bda4aca61a13a9c63f1c1d1b16b9d3be90d7a" },
  "lazydev.nvim": { "branch": "main", "commit": "f59bd14a852ca43db38e3662395354cb2a9b13e0" },
-  "leap.nvim": { "branch": "main", "commit": "08ca7ec9e859856251d56c22ea107f82f563ff3c" },
-  "lsp_signature.nvim": { "branch": "master", "commit": "d50e40b3bf9324128e71b0b7e589765ce89466d2" },
+  "leap.nvim": { "branch": "main", "commit": "10c14af4ddfb34dbd7721f0bfb2b4d91f0558907" },
+  "lsp_signature.nvim": {
+    "branch": "master",
+    "commit": "2923666d092300e6d03c8d895991d0bef43f1613"
+  },
  "lspkind.nvim": { "branch": "master", "commit": "d79a1c3299ad0ef94e255d045bed9fa26025dab6" },
  "luarocks.nvim": { "branch": "main", "commit": "1db9093915eb16ba2473cfb8d343ace5ee04130a" },
-  "markdown-preview.nvim": { "branch": "main", "commit": "462ce41af003f5cdadab856f3a42dc27e39b89c8" },
-  "mason-lspconfig.nvim": { "branch": "main", "commit": "1a31f824b9cd5bc6f342fc29e9a53b60d74af245" },
+  "markdown-preview.nvim": {
+    "branch": "main",
+    "commit": "462ce41af003f5cdadab856f3a42dc27e39b89c8"
+  },
+  "mason-lspconfig.nvim": {
+    "branch": "main",
+    "commit": "1a31f824b9cd5bc6f342fc29e9a53b60d74af245"
+  },
  "mason-null-ls.nvim": { "branch": "main", "commit": "2b8433f76598397fcc97318d410e0c4f7a4bea6a" },
  "mason-nvim-dap.nvim": { "branch": "main", "commit": "4c2cdc69d69fe00c15ae8648f7e954d99e5de3ea" },
  "mason.nvim": { "branch": "main", "commit": "fc98833b6da5de5a9c5b1446ac541577059555be" },
-  "mini.ai": { "branch": "main", "commit": "5225f16eacf4dce2cb7204ca345123ef54e209d6" },
+  "mini.ai": { "branch": "main", "commit": "d172ada7b0281044a06cb9a625a862553c457b6f" },
  "mini.bufremove": { "branch": "main", "commit": "285bdac9596ee7375db50c0f76ed04336dcd2685" },
-  "mini.surround": { "branch": "main", "commit": "f4307f935ad87cfe3e570dbaae485b35cce4e5ec" },
+  "mini.surround": { "branch": "main", "commit": "1a2b59c77a0c4713a5bd8972da322f842f4821b1" },
  "neo-tree.nvim": { "branch": "main", "commit": "f481de16a0eb59c985abac8985e3f2e2f75b4875" },
  "neoconf.nvim": { "branch": "main", "commit": "f630568a4d04154803886f21ca60923f12709f0f" },
-  "nfnl": { "branch": "main", "commit": "19cac83657514a0718b7af4a086d06bd73269b7a" },
+  "nfnl": { "branch": "main", "commit": "143b595069d98d47b26b80f0e0375420673de4af" },
  "none-ls.nvim": { "branch": "main", "commit": "a117163db44c256d53c3be8717f3e1a2a28e6299" },
  "nui.nvim": { "branch": "main", "commit": "a0fd35fcbb4cb479366f1dc5f20145fd718a3733" },
  "nvim-autopairs": { "branch": "master", "commit": "68f0e5c3dab23261a945272032ee6700af86227a" },
  "nvim-cmp": { "branch": "main", "commit": "1e1900b0769324a9675ef85b38f99cca29e203b3" },
-  "nvim-colorizer.lua": { "branch": "master", "commit": "517df88cf2afb36652830df2c655df2da416a0ae" },
+  "nvim-colorizer.lua": {
+    "branch": "master",
+    "commit": "517df88cf2afb36652830df2c655df2da416a0ae"
+  },
  "nvim-dap": { "branch": "master", "commit": "6a5bba0ddea5d419a783e170c20988046376090d" },
  "nvim-dap-go": { "branch": "main", "commit": "8763ced35b19c8dc526e04a70ab07c34e11ad064" },
  "nvim-dap-python": { "branch": "master", "commit": "261ce649d05bc455a29f9636dc03f8cdaa7e0e2c" },
  "nvim-dap-ui": { "branch": "master", "commit": "bc81f8d3440aede116f821114547a476b082b319" },
-  "nvim-jdtls": { "branch": "master", "commit": "c23f200fee469a415c77265ca55b496feb646992" },
-  "nvim-lsp-file-operations": { "branch": "master", "commit": "9744b738183a5adca0f916527922078a965515ed" },
+  "nvim-jdtls": { "branch": "master", "commit": "4d77ff02063cf88963d5cf10683ab1fd15d072de" },
+  "nvim-lsp-file-operations": {
+    "branch": "master",
+    "commit": "9744b738183a5adca0f916527922078a965515ed"
+  },
  "nvim-lspconfig": { "branch": "master", "commit": "185b2af444b27d6541c02d662b5b68190e5cf0c4" },
  "nvim-nio": { "branch": "master", "commit": "21f5324bfac14e22ba26553caf69ec76ae8a7662" },
  "nvim-notify": { "branch": "master", "commit": "a3020c2cf4dfc4c4f390c4a21e84e35e46cf5d17" },
  "nvim-scrollbar": { "branch": "main", "commit": "5b103ef0fd2e8b9b4be3878ed38d224522192c6c" },
  "nvim-spectre": { "branch": "master", "commit": "72f56f7585903cd7bf92c665351aa585e150af0f" },
-  "nvim-spider": { "branch": "main", "commit": "99df646eab60df0b948dd2532ef5f5512707a9a4" },
+  "nvim-spider": { "branch": "main", "commit": "d4bdc45eac425e77108f068bd0706ff3ac20be7f" },
  "nvim-treesitter": { "branch": "master", "commit": "f8aaf5ce4e27cd20de917946b2ae5c968a2c2858" },
-  "nvim-treesitter-textobjects": { "branch": "master", "commit": "9937e5e356e5b227ec56d83d0a9d0a0f6bc9cad4" },
+  "nvim-treesitter-textobjects": {
+    "branch": "master",
+    "commit": "9937e5e356e5b227ec56d83d0a9d0a0f6bc9cad4"
+  },
  "nvim-ts-autotag": { "branch": "main", "commit": "a1d526af391f6aebb25a8795cbc05351ed3620b5" },
-  "nvim-ts-context-commentstring": { "branch": "main", "commit": "1b212c2eee76d787bbea6aa5e92a2b534e7b4f8f" },
+  "nvim-ts-context-commentstring": {
+    "branch": "main",
+    "commit": "1b212c2eee76d787bbea6aa5e92a2b534e7b4f8f"
+  },
  "nvim-ufo": { "branch": "main", "commit": "61463090a4f55f5d080236ea62f09d1cd8976ff3" },
  "nvim-vtsls": { "branch": "main", "commit": "60b493e641d3674c030c660cabe7a2a3f7a914be" },
  "nvim-web-devicons": { "branch": "master", "commit": "4c3a5848ee0b09ecdea73adcd2a689190aeb728c" },
  "nvim-window-picker": { "branch": "main", "commit": "6382540b2ae5de6c793d4aa2e3fe6dbb518505ec" },
-  "orgmode": { "branch": "master", "commit": "32ef9e95f43a6e951fb931b438372546a4f0c524" },
+  "orgmode": { "branch": "master", "commit": "b6d14eb0a1553a0ef4114346d67605de82d0f7fb" },
  "package-info.nvim": { "branch": "master", "commit": "4f1b8287dde221153ec9f2acd46e8237d2d0881e" },
-  "parinfer-rust": { "branch": "master", "commit": "55bec1e3d4f127527c5c2e507fac96cc934aed6e" },
+  "parinfer-rust": { "branch": "master", "commit": "afe6b1176cd805c000713e23b654fbf4b9f4b156" },
  "plenary.nvim": { "branch": "master", "commit": "857c5ac632080dba10aae49dba902ce3abf91b35" },
  "presence.nvim": { "branch": "main", "commit": "87c857a56b7703f976d3a5ef15967d80508df6e6" },
  "promise-async": { "branch": "main", "commit": "38a4575da9497326badd3995e768b4ccf0bb153e" },
-  "refactoring.nvim": { "branch": "master", "commit": "64dbe67bf7c28c864488262d267c799f80cae9ba" },
-  "render-markdown.nvim": { "branch": "main", "commit": "8debb17aab2fbbf3b341e46ac032d0a6f937d8c3" },
+  "refactoring.nvim": { "branch": "master", "commit": "74b608dfee827c2372250519d433cc21cb083407" },
+  "render-markdown.nvim": {
+    "branch": "main",
+    "commit": "c809fc129f842a7055c672593d24be6346bcc673"
+  },
  "resession.nvim": { "branch": "master", "commit": "cc819b0489938d03e4f3532a583354f0287c015b" },
-  "rustaceanvim": { "branch": "master", "commit": "5120207f90846704a74cbf043295698b009bd5de" },
+  "rustaceanvim": { "branch": "master", "commit": "322224d00a731d75eed6b700d38e460fd30f6e3c" },
+  "schemastore.nvim": { "branch": "main", "commit": "e4f80f37cd11ed58a6e914cc30850749f021b6a7" },
  "sentiment.nvim": { "branch": "main", "commit": "54a6db15b630eccfa98c32a76baf90f21c6f1e40" },
  "smart-splits.nvim": { "branch": "master", "commit": "ddb23c1a1cf1507bda487cda7f6e4690965ef9f5" },
-  "telescope-fzf-native.nvim": { "branch": "main", "commit": "1f08ed60cafc8f6168b72b80be2b2ea149813e55" },
+  "telescope-fzf-native.nvim": {
+    "branch": "main",
+    "commit": "1f08ed60cafc8f6168b72b80be2b2ea149813e55"
+  },
  "telescope-undo.nvim": { "branch": "main", "commit": "928d0c2dc9606e01e2cc547196f48d2eaecf58e5" },
  "telescope.nvim": { "branch": "0.1.x", "commit": "a17d611a0e111836a1db5295f04945df407c5135" },
  "todo-comments.nvim": { "branch": "main", "commit": "ae0a2afb47cf7395dc400e5dc4e05274bf4fb9e0" },
-  "tree-sitter-nu": { "branch": "main", "commit": "d5c71a10b4d1b02e38967b05f8de70e847448dd1" },
+  "tree-sitter-nu": { "branch": "main", "commit": "d62bb4a0c78e9476a6dd0081761444f6870252ed" },
  "treesj": { "branch": "main", "commit": "3b4a2bc42738a63de17e7485d4cc5e49970ddbcc" },
  "tsc.nvim": { "branch": "main", "commit": "8c1b4ec6a48d038a79ced8674cb15e7db6dd8ef0" },
-  "venv-selector.nvim": { "branch": "regexp", "commit": "c677caa1030808a9f90092e522de7cc20c1390dd" },
+  "venv-selector.nvim": {
+    "branch": "regexp",
+    "commit": "c677caa1030808a9f90092e522de7cc20c1390dd"
+  },
  "vim-illuminate": { "branch": "master", "commit": "19cb21f513fc2b02f0c66be70107741e837516a1" },
  "vim-repeat": { "branch": "master", "commit": "65846025c15494983dafe5e3b46c8f88ab2e9635" },
  "vim-wakatime": { "branch": "master", "commit": "f39c4a201ae350aaba713b59d4a4fdd88e0811aa" },
@@ -52,7 +52,8 @@ return {
      "terraformls", -- terraform hcl
      "marksman", -- markdown ls
      "nickel_ls", -- nickel language server
-      "nil_ls", -- nix language server
+      -- "nil_ls", -- nix language server
+      "nixd", -- another nix language server
      "buf_ls", -- protocol buffer language server
      "dockerls", -- dockerfile
      "cmake", -- cmake language server
@@ -19,8 +19,8 @@ return {
  },
  version = false, -- Never set this value to "*"! Never!
  opts = {
-    provider = "deepseek_reasoner",
-    cursor_applying_provider = "deepseek_reasoner", -- In this example, use Groq for applying, but you can also use any provider you want.
+    provider = "openrouter_claude_4",
+    cursor_applying_provider = "openrouter_claude_4",
    behaviour = {
      -- auto_suggestions = true,
      enable_cursor_planning_mode = true, -- enable cursor planning mode!
@@ -28,44 +28,104 @@ return {
    -- WARNING: Since auto-suggestions are a high-frequency operation and therefore expensive,
    -- currently designating it as `copilot` provider is dangerous because: https://github.com/yetone/avante.nvim/issues/1048
    -- Of course, you can reduce the request frequency by increasing `suggestion.debounce`.
-    auto_suggestions_provider = "aliyun_qwen3",
+    auto_suggestions_provider = "ollama",
    suggestion = {
      debounce = 750, -- wait for x ms before suggestion
      throttle = 1200, -- wait for at least x ms before the next suggestion
    },
-
-    ollama = {
-      endpoint = "http://192.168.5.100:11434", -- Note that there is no /v1 at the end.
-      model = "modelscope.cn/unsloth/Qwen3-30B-A3B-GGUF",
-      -- model = "modelscope.cn/unsloth/Qwen3-235B-A22B-GGUF",
+    web_search_engine = {
+      provider = "google", -- tavily, serpapi, searchapi, google, kagi, brave, or searxng
+      proxy = nil, -- proxy support, e.g., http://127.0.0.1:7890
    },
-    vendors = {
-      deepseek_coder = {
-        __inherited_from = "openai",
-        api_key_name = "DEEPSEEK_API_KEY",
-        endpoint = "https://api.deepseek.com",
-        model = "deepseek-coder",
+
+    providers = {
+      ollama = {
+        endpoint = "http://192.168.5.100:11434", -- Note that there is no /v1 at the end.
+        model = "modelscope.cn/unsloth/Qwen3-30B-A3B-GGUF",
+        -- model = "modelscope.cn/unsloth/Qwen3-32B-GGUF",
      },
-      -- deepseek chat v3
-      deepseek_chat = {
-        __inherited_from = "openai",
-        api_key_name = "DEEPSEEK_API_KEY",
-        endpoint = "https://api.deepseek.com",
-        model = "deepseek-chat",
+      -- ==============================================
+      -- https://aistudio.google.com/prompts/new_chat
+      -- ==============================================
+      gemini = {
+        api_key_name = "GEMINI_API_KEY",
+        model = "gemini-2.5-pro-preview-06-05",
+        timeout = 30000, -- Timeout in milliseconds, increase this for reasoning models
+        temperature = 0,
+        max_completion_tokens = 8192, -- Increase this to include reasoning tokens (for reasoning models)
+        --reasoning_effort = "medium", -- low|medium|high, only used for reasoning models
      },
-      -- deepseek r1
-      deepseek_reasoner = {
+      -- ==============================================
+      -- https://openrouter.ai/rankings
+      -- ==============================================
+      openrouter_claude_4 = {
        __inherited_from = "openai",
-        api_key_name = "DEEPSEEK_API_KEY",
-        endpoint = "https://api.deepseek.com",
-        model = "deepseek-reasoner",
+        endpoint = "https://openrouter.ai/api/v1",
+        api_key_name = "OPENROUTER_API_KEY",
+        model = "anthropic/claude-sonnet-4",
      },
+      -- ==============================================
+      -- https://bailian.console.aliyun.com/?tab=model
+      -- ==============================================
      aliyun_qwen3 = {
        __inherited_from = "openai",
        api_key_name = "DASHSCOPE_API_KEY",
        endpoint = "https://dashscope.aliyuncs.com/compatible-mode/v1",
        -- model = "qwen-coder-plus-latest",
        model = "qwen3-235b-a22b",
+        -- disable_tools = true,
+      },
+      aliyun_dpr1 = {
+        __inherited_from = "openai",
+        api_key_name = "DASHSCOPE_API_KEY",
+        endpoint = "https://dashscope.aliyuncs.com/compatible-mode/v1",
+        model = "deepseek-r1-0528",
+        disable_tools = true,
+      },
+      -- ==============================================
+      -- https://console.volcengine.com/ark/region:ark+cn-beijing/model?feature=&vendor=DeepSeek&view=VENDOR_VIEW
+      -- ==============================================
+      ark_dpr1 = {
+        __inherited_from = "openai",
+        api_key_name = "ARK_API_KEY",
+        endpoint = "https://ark.cn-beijing.volces.com/api/v3",
+        model = "deepseek-r1-250528",
+        -- disable_tools = true,
+      },
+      -- ==============================================
+      -- https://cloud.siliconflow.cn/models
+      -- ==============================================
+      sflow_dpr1 = {
+        __inherited_from = "openai",
+        api_key_name = "SILICONFLOW_API_KEY",
+        endpoint = "https://api.siliconflow.cn/v1",
+        model = "Pro/deepseek-ai/DeepSeek-R1",
+        -- disable_tools = true,
+      },
+      -- ==============================================
+      -- https://platform.deepseek.com/usage
+      -- ==============================================
+      dp_coder = {
+        __inherited_from = "openai",
+        api_key_name = "DEEPSEEK_API_KEY",
+        endpoint = "https://api.deepseek.com",
+        model = "deepseek-coder",
+      },
+      -- deepseek chat v3
+      dp_chat = {
+        __inherited_from = "openai",
+        api_key_name = "DEEPSEEK_API_KEY",
+        endpoint = "https://api.deepseek.com",
+        model = "deepseek-chat",
+        -- disable_tools = true,
+      },
+      -- deepseek r1
+      dp_r1 = {
+        __inherited_from = "openai",
+        api_key_name = "DEEPSEEK_API_KEY",
+        endpoint = "https://api.deepseek.com",
+        model = "deepseek-reasoner",
+        -- disable_tools = true,
      },
    },
  },
@@ -1,13 +1,15 @@
 -- File explorer(Custom configs)
 return {
  "nvim-neo-tree/neo-tree.nvim",
-  opts = {
-    filesystem = {
-      filtered_items = {
-        visible = true, -- visible by default
-        hide_dotfiles = false,
-        hide_gitignored = false,
-      },
-    },
-  },
+  opts = function(_, opts)
+    opts.filesystem.filtered_items = {
+      visible = true, -- visible by default
+      hide_dotfiles = false,
+      hide_gitignored = false,
+    }
+    opts.filesystem.follow_current_file = {
+      enabled = true, -- This will find and focus the file in the active buffer every time
+      leave_dirs_open = false, -- `false` closes auto expanded dirs, such as with `:Neotree reveal`
+    }
+  end,
 }
@@ -39,7 +39,7 @@ return {
      formatting.shfmt, -- Shell formatter
      formatting.terraform_fmt, -- Terraform formatter
      formatting.stylua, -- Lua formatter
-      formatting.alejandra, -- Nix formatter
+      -- formatting.alejandra, -- Nix formatter
      formatting.sqlfluff.with { -- SQL formatter
        extra_args = { "--dialect", "postgres" }, -- change to your dialect
      },
@@ -2,152 +2,160 @@
  pkgs,
  pkgs-unstable,
  ...
-}: {
-  home.packages = with pkgs; (
-    # -*- Data & Configuration Languages -*-#
-    [
-      #-- nix
-      nil
-      # rnix-lsp
-      # nixd
-      statix # Lints and suggestions for the nix programming language
-      deadnix # Find and remove unused code in .nix source files
-      alejandra # Nix Code Formatter
+}:
+{
+  home.packages =
+    with pkgs;
+    (
+      # -*- Data & Configuration Languages -*-#
+      [
+        #-- nix
+        nil
+        nixd
+        statix # Lints and suggestions for the nix programming language
+        deadnix # Find and remove unused code in .nix source files
+        nixfmt # Nix Code Formatter

-      #-- nickel lang
-      nickel
+        #-- nickel lang
+        nickel

-      #-- json like
-      # terraform  # install via brew on macOS
-      terraform-ls
-      jsonnet
-      jsonnet-language-server
-      taplo # TOML language server / formatter / validator
-      nodePackages.yaml-language-server
-      actionlint # GitHub Actions linter
+        #-- json like
+        # terraform  # install via brew on macOS
+        terraform-ls
+        jsonnet
+        jsonnet-language-server
+        taplo # TOML language server / formatter / validator
+        nodePackages.yaml-language-server
+        actionlint # GitHub Actions linter

-      #-- dockerfile
-      hadolint # Dockerfile linter
-      nodePackages.dockerfile-language-server-nodejs
+        #-- dockerfile
+        hadolint # Dockerfile linter
+        dockerfile-language-server

-      #-- markdown
-      marksman # language server for markdown
-      glow # markdown previewer
-      pandoc # document converter
-      pkgs-unstable.hugo # static site generator
+        #-- markdown
+        marksman # language server for markdown
+        glow # markdown previewer
+        pandoc # document converter
+        pkgs-unstable.hugo # static site generator

-      #-- sql
-      sqlfluff
+        #-- sql
+        sqlfluff

-      #-- protocol buffer
-      buf # linting and formatting
-    ]
-    ++
-    #-*- General Purpose Languages -*-#
-    [
-      #-- c/c++
-      cmake
-      cmake-language-server
-      gnumake
-      checkmake
-      # c/c++ compiler, required by nvim-treesitter!
-      gcc
-      gdb
-      # c/c++ tools with clang-tools, the unwrapped version won't
-      # add alias like `cc` and `c++`, so that it won't conflict with gcc
-      # llvmPackages.clang-unwrapped
-      clang-tools
-      lldb
-      vscode-extensions.vadimcn.vscode-lldb.adapter # codelldb - debugger
+        #-- protocol buffer
+        buf # linting and formatting
+      ]
+      ++
+        #-*- General Purpose Languages -*-#
+        [
+          #-- c/c++
+          cmake
+          cmake-language-server
+          gnumake
+          checkmake
+          # c/c++ compiler, required by nvim-treesitter!
+          gcc
+          gdb
+          # c/c++ tools with clang-tools, the unwrapped version won't
+          # add alias like `cc` and `c++`, so that it won't conflict with gcc
+          # llvmPackages.clang-unwrapped
+          clang-tools
+          lldb
+          vscode-extensions.vadimcn.vscode-lldb.adapter # codelldb - debugger

-      #-- python
-      pyright # python language server
-      (python313.withPackages (
-        ps:
-          with ps; [
-            ruff
-            black # python formatter
-            # debugpy
+          #-- python
+          (python313.withPackages (
+            ps: with ps; [
+              # python language server
+              pyright
+              ruff

-            # my commonly used python packages
-            jupyter
-            ipython
-            pandas
-            requests
-            pyquery
-            pyyaml
-            boto3
-          ]
-      ))
+              pipx # Install and Run Python Applications in Isolated Environments
+              black # python formatter
+              uv # python project package manager

-      #-- rust
-      # we'd better use the rust-overlays for rust development
-      pkgs-unstable.rustc
-      pkgs-unstable.rust-analyzer
-      pkgs-unstable.cargo # rust package manager
-      pkgs-unstable.rustfmt
-      pkgs-unstable.clippy # rust linter
+              # my commonly used python packages
+              jupyter
+              ipython
+              pandas
+              requests
+              pyquery
+              pyyaml
+              boto3

-      #-- golang
-      go
-      gomodifytags
-      iferr # generate error handling code for go
-      impl # generate function implementation for go
-      gotools # contains tools like: godoc, goimports, etc.
-      gopls # go language server
-      delve # go debugger
+              # misc
+              protobuf # protocol buffer compiler
+              numpy
+            ]
+          ))

-      # -- java
-      jdk17
-      gradle
-      maven
-      spring-boot-cli
-      jdt-language-server
+          #-- rust
+          # we'd better use the rust-overlays for rust development
+          pkgs-unstable.rustc
+          pkgs-unstable.rust-analyzer
+          pkgs-unstable.cargo # rust package manager
+          pkgs-unstable.rustfmt
+          pkgs-unstable.clippy # rust linter

-      #-- zig
-      zls
+          #-- golang
+          go
+          gomodifytags
+          iferr # generate error handling code for go
+          impl # generate function implementation for go
+          gotools # contains tools like: godoc, goimports, etc.
+          gopls # go language server
+          delve # go debugger

-      #-- lua
-      stylua
-      lua-language-server
+          # -- java
+          jdk17
+          gradle
+          maven
+          spring-boot-cli
+          jdt-language-server

-      #-- bash
-      nodePackages.bash-language-server
-      shellcheck
-      shfmt
-    ]
-    #-*- Web Development -*-#
-    ++ [
-      nodePackages.nodejs
-      nodePackages.typescript
-      nodePackages.typescript-language-server
-      # HTML/CSS/JSON/ESLint language servers extracted from vscode
-      nodePackages.vscode-langservers-extracted
-      nodePackages."@tailwindcss/language-server"
-      emmet-ls
-    ]
-    # -*- Lisp like Languages -*-#
-    # ++ [
-    #   guile
-    #   racket-minimal
-    #   fnlfmt # fennel
-    #   (
-    #     if pkgs.stdenv.isLinux && pkgs.stdenv.isx86
-    #     then pkgs-unstable.akkuPackages.scheme-langserver
-    #     else pkgs.emptyDirectory
-    #   )
-    # ]
-    ++ [
-      proselint # English prose linter
+          #-- zig
+          zls

-      #-- verilog / systemverilog
-      verible
+          #-- lua
+          stylua
+          lua-language-server

-      #-- Optional Requirements:
-      nodePackages.prettier # common code formatter
-      fzf
-      gdu # disk usage analyzer, required by AstroNvim
-      (ripgrep.override {withPCRE2 = true;}) # recursively searches directories for a regex pattern
-    ]
-  );
+          #-- bash
+          nodePackages.bash-language-server
+          shellcheck
+          shfmt
+        ]
+      #-*- Web Development -*-#
+      ++ [
+        nodePackages.nodejs
+        nodePackages.typescript
+        nodePackages.typescript-language-server
+        # HTML/CSS/JSON/ESLint language servers extracted from vscode
+        nodePackages.vscode-langservers-extracted
+        nodePackages."@tailwindcss/language-server"
+        emmet-ls
+      ]
+      # -*- Lisp like Languages -*-#
+      # ++ [
+      #   guile
+      #   racket-minimal
+      #   fnlfmt # fennel
+      #   (
+      #     if pkgs.stdenv.isLinux && pkgs.stdenv.isx86
+      #     then pkgs-unstable.akkuPackages.scheme-langserver
+      #     else pkgs.emptyDirectory
+      #   )
+      # ]
+      ++ [
+        proselint # English prose linter
+
+        #-- verilog / systemverilog
+        verible
+
+        #-- Optional Requirements:
+        nodePackages.prettier # common code formatter
+        fzf
+        gdu # disk usage analyzer, required by AstroNvim
+        (ripgrep.override { withPCRE2 = true; }) # recursively searches directories for a regex pattern
+      ]
+    );
 }
@@ -2,10 +2,11 @@
  pkgs,
  pkgs-unstable,
  ...
-}: {
+}:
+{
  home.packages = with pkgs; [
    age
-    pkgs-unstable.sops
+    sops
    rclone
  ];
 }
@@ -2,7 +2,8 @@
  config,
  mysecrets,
  ...
-}: {
+}:
+{
  programs.gpg = {
    enable = true;
    homedir = "${config.home.homeDirectory}/.gnupg";
@@ -3,9 +3,11 @@
  config,
  lib,
  ...
-}: let
+}:
+let
  passwordStoreDir = "${config.xdg.dataHome}/password-store";
-in {
+in
+{
  programs.password-store = {
    enable = true;
    package = pkgs.pass.withExtensions (exts: [
@@ -2,9 +2,11 @@
  config,
  pkgs-unstable,
  ...
-}: let
+}:
+let
  inherit (pkgs-unstable) nu_scripts;
-in {
+in
+{
  programs.nushell = {
    # load the alias file for work
    # the file must exist, otherwise nushell will complain about it!
@@ -14,6 +16,10 @@ in {
    extraConfig = ''
      source /etc/agenix/alias-for-work.nushell

+      # using claude-code with kimi k2
+      $env.ANTHROPIC_BASE_URL = "https://api.moonshot.cn/anthropic/"
+      $env.ANTHROPIC_API_KEY = $env.MOONSHOT_API_KEY
+
      # Directories in this constant are searched by the
      # `use` and `source` commands.
      const NU_LIB_DIRS = $NU_LIB_DIRS ++ ['${nu_scripts}/share/nu_scripts']
@@ -34,7 +40,7 @@ in {
      # use custom-completions/zoxide/zoxide-completions.nu *

      # alias
-      use aliases/git/git-aliases.nu *
+      # use aliases/git/git-aliases.nu *
      use aliases/eza/eza-aliases.nu *
      use aliases/bat/bat-aliases.nu *

@@ -2,14 +2,28 @@
  config,
  mysecrets,
  ...
-}: {
+}:
+{
  home.file.".ssh/romantic.pub".source = "${mysecrets}/public/romantic.pub";

  programs.ssh = {
    enable = true;

-    # "a private key that is used during authentication will be added to ssh-agent if it is running"
-    addKeysToAgent = "yes";
+    # default config
+    enableDefaultConfig = false;
+    matchBlocks."*" = {
+      forwardAgent = false;
+      # "a private key that is used during authentication will be added to ssh-agent if it is running"
+      addKeysToAgent = "yes";
+      compression = true;
+      serverAliveInterval = 0;
+      serverAliveCountMax = 3;
+      hashKnownHosts = false;
+      userKnownHostsFile = "~/.ssh/known_hosts";
+      controlMaster = "no";
+      controlPath = "~/.ssh/master-%r@%n:%p";
+      controlPersist = "no";
+    };

    matchBlocks = {
      "github.com" = {
@@ -303,69 +303,6 @@ default_shell "nu"
 //
 // scrollback_lines_to_serialize 10000

-// Define color themes for Zellij
-// For more examples, see: https://github.com/zellij-org/zellij/tree/main/example/themes
-// Once these themes are defined, one of them should to be selected in the "theme" section of this file
-//
-themes {
-  // https://github.com/zellij-org/zellij/blob/main/zellij-utils/assets/themes/catppuccin.kdl
-  catppuccin-latte {
-    bg "#acb0be" // Surface2
-    fg "#acb0be" // Surface2
-    red "#d20f39"
-    green "#40a02b"
-    blue "#1e66f5"
-    yellow "#df8e1d"
-    magenta "#ea76cb" // Pink
-    orange "#fe640b" // Peach
-    cyan "#04a5e5" // Sky
-    black "#dce0e8" // Crust
-    white "#4c4f69" // Text
-  }
-
-  catppuccin-frappe {
-    bg "#626880" // Surface2
-    fg "#c6d0f5"
-    red "#e78284"
-    green "#a6d189"
-    blue "#8caaee"
-    yellow "#e5c890"
-    magenta "#f4b8e4" // Pink
-    orange "#ef9f76" // Peach
-    cyan "#99d1db" // Sky
-    black "#292c3c" // Mantle
-    white "#c6d0f5"
-  }
-
-  catppuccin-macchiato {
-    bg "#5b6078" // Surface2
-    fg "#cad3f5"
-    red "#ed8796"
-    green "#a6da95"
-    blue "#8aadf4"
-    yellow "#eed49f"
-    magenta "#f5bde6" // Pink
-    orange "#f5a97f" // Peach
-    cyan "#91d7e3" // Sky
-    black "#1e2030" // Mantle
-    white "#cad3f5"
-  }
-
-  catppuccin-mocha {
-    bg "#585b70" // Surface2
-    fg "#cdd6f4"
-    red "#f38ba8"
-    green "#a6e3a1"
-    blue "#89b4fa"
-    yellow "#f9e2af"
-    magenta "#f5c2e7" // Pink
-    orange "#fab387" // Peach
-    cyan "#89dceb" // Sky
-    black "#181825" // Mantle
-    white "#cdd6f4"
-  }
-}
-
 // Choose the theme that is specified in the themes section.
 // Default: default
 //
@@ -1,12 +1,18 @@
-{pkgs, ...}: let
+{ pkgs, ... }:
+let
  shellAliases = {
    "zj" = "zellij";
  };
-in {
+in
+{
  programs.zellij = {
    enable = true;
    package = pkgs.zellij;
  };
+  xdg.configFile."zellij/config.kdl".source = ./config.kdl;
+  # Disable catppuccin to avoid conflict with my non-nix config.
+  catppuccin.zellij.enable = false;
+
  # auto start zellij in nushell
  programs.nushell.extraConfig = ''
    # auto start zellij
@@ -29,6 +35,4 @@ in {
  # only works in bash/zsh, not nushell
  home.shellAliases = shellAliases;
  programs.nushell.shellAliases = shellAliases;
-
-  xdg.configFile."zellij/config.kdl".source = ./config.kdl;
 }
@@ -1,6 +1,33 @@
 # Home Manager's Darwin Submodules

-1. `core.nix`: some basic configuration.
-2. `shell.nix`: shell related.
-3. `rime-squirrel.nix`: [rime-squirrel](https://github.com/rime/squirrel)'s configuration.
-4. `default.nix`: the entrypoint of darwin's configuration, it import all the submodules above.
+This directory contains macOS-specific Home Manager configurations for Darwin systems.
+
+## Configuration Modules
+
+### Core Configurations
+
+- **default.nix**: Entry point that imports all Darwin configurations
+- **shell.nix**: Shell configurations and environment settings
+- **rime-squirrel.nix**: [Rime Squirrel](https://github.com/rime/squirrel) input method
+  configuration
+
+### Window Management
+
+- **aerospace/**: [Aerospace](https://github.com/nikitabobko/AeroSpace) tiling window manager
+  configuration
+  - Custom keybindings and workspace management
+  - Application-specific window rules
+
+### Network Configuration
+
+- **proxy/**: Network proxy configurations
+  - `proxychains.conf`: Proxy chains configuration for network routing
+  - Proxy settings for development tools and applications
+
+## Features
+
+- macOS-specific package installations and configurations
+- Native macOS applications and utilities
+- Touch ID and system integration
+- Homebrew integration for additional packages
+- macOS-specific shell configurations and aliases
@@ -226,11 +226,6 @@ run = 'move-node-to-workspace 3Work'
 if.app-id = 'com.tinyspeck.slackmacgap'
 run = 'move-node-to-workspace 3Work'

-
-[[on-window-detected]]
-if.app-id = 'us.zoom.xos'
-run = 'move-node-to-workspace 3Work'
-
 [[on-window-detected]]
 if.app-id = 'org.mozilla.firefox'
 run = 'move-node-to-workspace 4Firefox'
@@ -285,6 +280,14 @@ run = ['layout floating', 'move-node-to-workspace 9File']
 if.app-id = 'com.apple.Preview'
 run = ['layout floating', 'move-node-to-workspace 9File']

+[[on-window-detected]]
+if.app-id = 'com.microsoft.VSCode'
+run = ['layout floating', 'move-node-to-workspace 9File']
+
+[[on-window-detected]]
+if.app-id = 'com.todesktop.230313mzl4w4u92' # Cursor AI Editor
+run = ['layout floating', 'move-node-to-workspace 9File']
+
 [[on-window-detected]]
 if.app-id = 'org.wireshark.Wireshark'
 run = ['layout floating', 'move-node-to-workspace 0Other']
@@ -294,8 +297,8 @@ if.app-id = 'ai.elementlabs.lmstudio'
 run = ['layout floating', 'move-node-to-workspace 0Other']

 [[on-window-detected]]
-if.app-id = 'com.microsoft.VSCode'
-run = ['layout floating', 'move-node-to-workspace 0Other']
+if.app-id = 'us.zoom.xos'
+run = 'move-node-to-workspace 0Other'

 # Auth UI - do not move it
 [[on-window-detected]]
@@ -307,6 +310,11 @@ run = ['layout floating']
 if.app-id = 'com.apple.systempreferences'
 run = ['layout floating']

+# Clash Verge - has problem with floating
+[[on-window-detected]]
+if.app-id = 'io.github.clash-verge-rev.clash-verge-rev'
+run = ['move-node-to-workspace 0Other']
+
 # Make all windows float by default
 [[on-window-detected]]
 check-further-callbacks = true
@@ -1,5 +1,5 @@
-{config, ...}: {
+{ config, ... }:
+{
  home.file.".aerospace.toml".source =
-    config.lib.file.mkOutOfStoreSymlink
-    "${config.home.homeDirectory}/nix-config/home/darwin/aerospace/aerospace.toml";
+    config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/nix-config/home/darwin/aerospace/aerospace.toml";
 }
@@ -2,16 +2,15 @@
  mylib,
  myvars,
  ...
-}: {
+}:
+{
  home.homeDirectory = "/Users/${myvars.username}";
-  imports =
-    (mylib.scanPaths ./.)
-    ++ [
-      ../base/core
-      ../base/tui
-      ../base/gui
-      ../base/home.nix
-    ];
+  imports = (mylib.scanPaths ./.) ++ [
+    ../base/core
+    ../base/tui
+    ../base/gui
+    ../base/home.nix
+  ];

  # enable management of XDG base directories on macOS.
  xdg.enable = true;
@@ -2,12 +2,12 @@
  config,
  pkgs,
  ...
-}: {
+}:
+{
  home.packages = with pkgs; [
    clash-meta
  ];

  home.file.".proxychains/proxychains.conf".source =
-    config.lib.file.mkOutOfStoreSymlink
-    "${config.home.homeDirectory}/nix-config/home/darwin/proxy/proxychains.conf";
+    config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/nix-config/home/darwin/proxy/proxychains.conf";
 }
@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
+{
  # Squirrel Input Method
  home.file."Library/Rime" = {
    # my custom squirrel data (flypy input method)
@@ -1,4 +1,5 @@
-{lib, ...}: let
+{ lib, ... }:
+let
  envExtra = ''
    export PATH="$PATH:/opt/homebrew/bin:/usr/local/bin"
  '';
@@ -20,7 +21,8 @@
      true
    fi
  '';
-in {
+in
+{
  # Homebrew's default install location:
  #   /opt/homebrew for Apple Silicon
  #   /usr/local for macOS Intel
@@ -1,10 +1,34 @@
 # Home Manager's Linux Submodules

-1. `base`: The base module that is suitable for any NixOS environment.
-2. `desktop`: Configuration for desktop environments, such as Hyprland, I3, etc.
-3. `server.nix`: Configuration which is suitable for both servers and desktops. It import only
-   `base` as its submodule.
-   1. used by all my nixos servers.
-4. `desktop.nix`: the entrypoint of desktop's configuration, it import both `base` and `desktop` as
-   its submodules.
-   1. used by all my nixos desktops.
+This directory contains Linux-specific Home Manager configurations organized for different use
+cases.
+
+## Configuration Modules
+
+### Core Configurations
+
+- **core.nix**: Essential Linux-specific configurations and settings
+- **base/**: Base Linux configurations including shell, tools, and utilities
+  - `shell.nix`: Shell configurations and aliases
+  - `tools.nix`: Essential command-line tools and utilities
+
+### Desktop Configurations
+
+- **gui/**: Desktop environment configurations
+  - **hyprland/**: Hyprland window manager with custom keybindings and settings
+  - **niri/**: Niri compositor configuration
+  - **base/**: Common desktop applications and services
+  - **editors/**: Text editor configurations for desktop environments
+
+### Available Entry Points
+
+- **core.nix**: Core Linux configuration, suitable for basic setups
+- **tui.nix**: Terminal-based interface configuration for lightweight environments
+- **gui.nix**: Graphical user interface configuration entry point, imports desktop environments
+
+## Usage
+
+- **Lightweight/Terminal**: Use `core.nix` or `tui.nix` for terminal-focused setups
+- **Desktops**: Use `gui.nix` for full desktop environments with window managers like Hyprland or
+  Niri
+- **Custom**: Mix and match configurations as needed for your specific use case
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
+{
  imports = mylib.scanPaths ./.;
 }
@@ -2,11 +2,13 @@
  config,
  myvars,
  ...
-}: let
+}:
+let
  d = config.xdg.dataHome;
  c = config.xdg.configHome;
  cache = config.xdg.cacheHome;
-in rec {
+in
+rec {
  home.homeDirectory = "/home/${myvars.username}";

  # environment variables that always set at login
@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
+{
  # Linux Only Packages, not available on Darwin
  home.packages = with pkgs; [
    # misc
@@ -1,17 +1,49 @@
-# Desktop Related
+# Desktop Environment Configurations

-3. `base`: all common configurations for all desktops.
-4. `hyprland`: Hyprland's configuration.
+This directory contains desktop environment and window manager configurations managed by Home
+Manager.

-## Why install I3/Hyprland in Home Manager instead of a NixOS Module?
+## Available Configurations

-1. I3 & Hyprland's configuration file is located in `~/.config`, which can be easily managed by Home
-   Manager.
-2. I have many user-specific systemd services, such gammastep, wallpaper-switcher, etc. Which can be
-   easily managed by Home Manager, but if we add i3/hyprland in a NixOS Module, those user-level
-   services may failed to start automatically. With i3/hyprland in a Home Manager Module, we can
-   control their systemd service's dependent order more easily, so we can avoid issues like this.
-3. By install packages as less as possible in NixOS Module, we can:
-   1. Make the NixOS system more secure and stable.
-   2. Make this flake more portable to other non-NixOS systems, as home-manager can be installed on
-      any Linux system.
+### Window Managers
+
+- **hyprland**: Hyprland compositor configuration with custom keybindings, settings, and window
+  rules
+- **niri**: Niri compositor configuration with custom settings, keybindings, spawn-at-startup rules,
+  and window rules
+
+### Base Desktop Environment
+
+- **base**: Common desktop configurations shared across all environments, including:
+  - Desktop applications (anyrun, mako, waybar, wlogout)
+  - Creative tools and media applications
+  - Development tools
+  - Eye protection utilities (gammastep)
+  - Fcitx5 input method framework
+  - Games and gaming utilities
+  - GTK theme configurations
+  - Immutable file handling
+  - Note-taking applications
+  - Wallpaper management with auto-switcher
+  - Wayland applications
+  - XDG desktop configurations
+
+### Editor Configurations
+
+- **editors**: Text editor configurations and integrations
+
+## Why install Desktop Environments in Home Manager instead of NixOS Module?
+
+1. **Configuration Location**: Desktop environment configuration files are located in `~/.config`,
+   which can be easily managed by Home Manager.
+
+2. **User-specific Services**: Many user-specific systemd services (gammastep, wallpaper-switcher,
+   etc.) can be easily managed by Home Manager. If desktop environments were configured via NixOS
+   Module, these user-level services might fail to start automatically. With Home Manager modules,
+   we can control systemd service dependency order more effectively.
+
+3. **System Benefits**: By minimizing package installation through NixOS Module:
+   - Makes the NixOS system more secure and stable
+   - Increases portability to non-NixOS systems, as Home Manager can be installed on any Linux
+     system
+   - Allows for easier switching between different window managers without system-level changes
@@ -1,67 +1,78 @@
 {
+  lib,
  pkgs,
  pkgs-unstable,
  # pkgs-stable,
  nur-ryan4yin,
  blender-bin,
  ...
-}: {
-  home.packages = with pkgs; [
-    # creative
-    # https://github.com/edolstra/nix-warez/blob/master/blender/flake.nix
-    blender-bin.packages.${pkgs.system}.blender_4_2 # 3d modeling
-    # gimp      # image editing, I prefer using figma in browser instead of this one
-    inkscape # vector graphics
-    krita # digital painting
-    musescore # music notation
-    # reaper # audio production
-    # sonic-pi # music programming
+}:
+{
+  home.packages =
+    with pkgs;
+    [
+      # creative
+      # gimp      # image editing, I prefer using figma in browser instead of this one
+      inkscape # vector graphics
+      krita # digital painting
+      musescore # music notation
+      # reaper # audio production
+      # sonic-pi # music programming

-    # 2d game design
-    ldtk # A modern, versatile 2D level editor
-    # aseprite # Animated sprite editor & pixel art tool
+      # 2d game design
+      # aseprite # Animated sprite editor & pixel art tool

-    # this app consumes a lot of storage, so do not install it currently
-    # kicad     # 3d printing, eletrical engineering
+      # this app consumes a lot of storage, so do not install it currently
+      # kicad     # 3d printing, eletrical engineering
+    ]
+    ++ (lib.optionals pkgs.stdenv.isx86_64 [
+      # https://github.com/edolstra/nix-warez/blob/master/blender/flake.nix
+      blender-bin.packages.${pkgs.system}.blender_4_2 # 3d modeling

-    # fpga
-    pkgs-unstable.python313Packages.apycula # gowin fpga
-    pkgs-unstable.yosys # fpga synthesis
-    pkgs-unstable.nextpnr # fpga place and route
-    pkgs-unstable.openfpgaloader # fpga programming
-    # nur-ryan4yin.packages.${pkgs.system}.gowin-eda-edu-ide # app: `gowin-env` => `gw_ide` / `gw_pack` / ...
-  ];
+      ldtk # A modern, versatile 2D level editor
+
+      # fpga
+      # python313Packages.apycula # gowin fpga
+      # yosys # fpga synthesis
+      # nextpnr # fpga place and route
+      # openfpgaloader # fpga programming
+      # nur-ryan4yin.packages.${pkgs.system}.gowin-eda-edu-ide # app: `gowin-env` => `gw_ide` / `gw_pack` / ...
+    ]);

  programs = {
    # live streaming
    obs-studio = {
-      enable = true;
-      plugins = with pkgs.obs-studio-plugins; [
-        # screen capture
-        wlrobs
-        # obs-ndi
-        obs-vaapi
-        # obs-nvfbc
-        obs-teleport
-        # obs-hyperion
-        droidcam-obs
-        obs-vkcapture
-        obs-gstreamer
-        obs-3d-effect
-        input-overlay
-        obs-multi-rtmp
-        obs-source-clone
-        obs-shaderfilter
-        obs-source-record
-        obs-livesplit-one
-        looking-glass-obs
-        obs-vintage-filter
-        obs-command-source
-        obs-move-transition
-        obs-backgroundremoval
-        # advanced-scene-switcher
-        obs-pipewire-audio-capture
-      ];
+      enable = pkgs.stdenv.isx86_64;
+      plugins =
+        with pkgs.obs-studio-plugins;
+        [
+          # screen capture
+          wlrobs
+          # obs-ndi
+          # obs-nvfbc
+          obs-teleport
+          # obs-hyperion
+          droidcam-obs
+          obs-vkcapture
+          obs-gstreamer
+          input-overlay
+          obs-multi-rtmp
+          obs-source-clone
+          obs-shaderfilter
+          obs-source-record
+          obs-livesplit-one
+          looking-glass-obs
+          obs-vintage-filter
+          obs-command-source
+          obs-move-transition
+          obs-backgroundremoval
+          # advanced-scene-switcher
+          obs-pipewire-audio-capture
+        ]
+        ++ (lib.optionals pkgs.stdenv.isx86_64 [
+          obs-vaapi
+          obs-3d-effect
+        ]);
    };
  };
 }
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
+{
  imports = mylib.scanPaths ./.;
 }
@@ -0,0 +1,66 @@
+{
+  pkgs,
+  anyrun,
+  ...
+}:
+
+let
+  anyrunPackages = anyrun.packages.${pkgs.system};
+in
+{
+
+  imports = [
+    (
+      { modulesPath, ... }:
+      {
+        # Important! We disable home-manager's module to avoid option
+        # definition collisions
+        disabledModules = [ "${modulesPath}/programs/anyrun.nix" ];
+      }
+    )
+    anyrun.homeManagerModules.default
+  ];
+
+  programs.anyrun = {
+    enable = true;
+    # The package should come from the same flake as all the plugins to avoid breakage.
+    package = anyrunPackages.anyrun;
+    config = {
+      # The horizontal position.
+      # when using `fraction`, it sets a fraction of the width or height of the screen
+      x.fraction = 0.5; # at the middle of the screen
+      # The vertical position.
+      y.fraction = 0.05; # at the top of the screen
+      # The width of the runner.
+      width.fraction = 0.3; # 30% of the screen
+
+      hideIcons = false;
+      ignoreExclusiveZones = false;
+      layer = "overlay";
+      hidePluginInfo = false;
+      closeOnClick = true;
+      showResultsImmediately = true;
+      maxEntries = null;
+
+      # https://github.com/anyrun-org/anyrun/tree/master/plugins
+      plugins = with anyrunPackages; [
+        applications # Launch applications
+        dictionary # Look up word definitions using the Free Dictionary API.
+        nix-run # search & run graphical apps from nixpkgs via `nix run`, without installing it.
+        # randr         # quickly change monitor configurations on the fly
+        rink # A simple calculator plugin
+        symbols # Look up unicode symbols and custom user defined symbols.
+        translate # ":zh <text to translate>" Quickly translate text using the Google Translate API.
+        niri-focus # Search for & focus the window via title/appid on Niri
+      ];
+    };
+
+    extraConfigFiles = {
+      "symbols.ron".source = ./conf/anyrun/symbols.ron;
+      "applications.ron".source = ./conf/anyrun/applications.ron;
+    };
+  };
+
+  # https://github.com/anyrun-org/anyrun/discussions/179
+  xdg.configFile."anyrun/style.css".source = ./conf/anyrun/style.css;
+}
@@ -0,0 +1,16 @@
+Config(
+  // Also show the Desktop Actions defined in the desktop files, e.g. "New Window" from LibreWolf
+  desktop_actions: true,
+
+  max_entries: 5,
+
+  // The terminal used for running terminal based desktop entries, if left as `None` a static list of terminals is used
+  // to determine what terminal to use.
+  terminal: Some(Terminal(
+    // The main terminal command
+    command: "alacritty",
+    // What arguments should be passed to the terminal process to run the command correctly
+    // {} is replaced with the command in the desktop entry
+    args: "-e {}",
+  )),
+)
@@ -0,0 +1,101 @@
+/* ===== Color variables ===== */
+:root {
+  --bg-color: #313244;
+  --fg-color: #cdd6f4;
+  --primary-color: #89b4fa;
+  --secondary-color: #cba6f7;
+  --border-color: var(--primary-color);
+  --selected-bg-color: var(--primary-color);
+  --selected-fg-color: var(--bg-color);
+}
+
+/* ===== Global reset ===== */
+* {
+  all: unset;
+  font-family: "JetBrainsMono Nerd Font", monospace;
+}
+
+/* ===== Transparent window ===== */
+window {
+  background: transparent;
+}
+
+/* ===== Main container ===== */
+box.main {
+  border-radius: 16px;
+  background-color: color-mix(in srgb, var(--bg-color) 80%, transparent);
+  border: 0.5px solid color-mix(in srgb, var(--fg-color) 25%, transparent);
+  padding: 12px; /* add uniform padding around the whole box */
+}
+
+/* ===== Input field ===== */
+text {
+  font-size: 1.3rem;
+  background: transparent;
+  border: 1px solid var(--border-color);
+  border-radius: 16px;
+  margin-bottom: 12px;
+  padding: 5px 10px;
+  min-height: 44px;
+  caret-color: var(--primary-color);
+}
+
+/* ===== List container ===== */
+.matches {
+  background-color: transparent;
+}
+
+/* ===== Single match row ===== */
+.match {
+  font-size: 1.1rem;
+  padding: 4px 10px; /* tight vertical spacing */
+  border-radius: 6px;
+}
+
+/* Remove default label margins */
+.match * {
+  margin: 0;
+  padding: 0;
+  line-height: 1;
+}
+
+/* Selected / hover state */
+.match:selected,
+.match:hover {
+  background-color: var(--selected-bg-color);
+  color: var(--selected-fg-color);
+}
+
+.match:selected label.plugin.info,
+.match:hover label.plugin.info {
+  color: var(--selected-fg-color);
+}
+
+.match:selected label.match.description,
+.match:hover label.match.description {
+  color: color-mix(in srgb, var(--selected-fg-color) 90%, transparent);
+}
+
+/* ===== Plugin info label ===== */
+label.plugin.info {
+  color: var(--fg-color);
+  font-size: 1rem;
+  min-width: 160px;
+  text-align: left;
+}
+
+/* ===== Description label ===== */
+label.match.description {
+  font-size: 0rem;
+  color: var(--fg-color);
+}
+
+/* ===== Fade-in animation ===== */
+@keyframes fade {
+  0% {
+    opacity: 0;
+  }
+  100% {
+    opacity: 1;
+  }
+}
@@ -0,0 +1,10 @@
+Config(
+  // The prefix that the search needs to begin with to yield symbol results
+  prefix: "",
+  // Custom user defined symbols to be included along the unicode symbols
+  symbols: {
+    // "name": "text to be copied"
+    "shrug": "¯\\_(ツ)_/¯",
+  },
+  max_entries: 3,
+)
@@ -0,0 +1,37 @@
+general {
+    lock_cmd = pidof swaylock || swaylock              # avoid starting multiple instances
+    before_sleep_cmd = loginctl lock-session          # lock before suspend
+    after_sleep_cmd = hyprctl dispatch dpms on        # resume dpms after suspend
+    ignore_dbus_inhibit = false                       # whether to ignore dbus-sent idle-inhibit requests
+}
+
+listener { 
+    timeout = 180                                                      # 3 minutes
+    # List devices: brightnessctl --list
+    # Adjust keyboard backlight: brightnessctl -d kbd_backlight set 50%
+    on-timeout = brightnessctl --save --device=kbd_backlight set 0     # turn off keyboard backlight.
+    on-resume = brightnessctl --restore --device=kbd_backlight         # turn on keyboard backlight.
+}
+
+# listener {
+#     timeout = 600                                # 10min.
+#     on-timeout = brightnessctl -s set 10         # set monitor backlight to minimum, avoid 0 on OLED monitor.
+#     on-resume = brightnessctl -r                 # monitor backlight restore.
+# }
+
+listener {
+    timeout = 1600                                     # 20 minutes
+    on-timeout = pidof swaylock || swaylock           # lock screen
+    on-resume = hyprctl dispatch dpms on              # monitor wake up
+}
+
+listener {
+    timeout = 1660                                             # 31 minutes
+    on-timeout = hyprctl dispatch dpms off                     # screen off
+    on-resume = hyprctl dispatch dpms on && brightnessctl -r   # monitor wake up & screen on
+}
+
+# listener {
+#     timeout = 1800                                # 30min
+#     on-timeout = systemctl suspend                # suspend pc
+# }
@@ -12,7 +12,7 @@ on-touch=dismiss
 on-notify=exec mpv /usr/share/sounds/freedesktop/stereo/message.oga

 # STYLE OPTIONS
-font=JetBrains Mono 10
+font=Maple Mono NF CN
 width=300
 height=100
 margin=10
--- a/Show More
+++ b/Show More