chore: remove mihomo-party

feat: add netbird for homelab, keep tailscale for work (#225 )
refactor: grafana - add more datasources, rewrite in nix
2026-05-28 18:39:31 +02:00 · 2025-10-02 11:50:46 +08:00 · 2025-10-02 11:49:05 +08:00 · 2025-09-26 23:46:54 +08:00 · 2025-09-26 21:37:23 +08:00 · 2025-09-26 19:12:45 +08:00
408 changed files with 37607 additions and 9302 deletions
@@ -25,9 +25,9 @@ jobs:
    steps:
      - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
      - name: Install nix
-        uses: cachix/install-nix-action@v24
+        uses: cachix/install-nix-action@v31
        with:
          install_url: https://nixos.org/nix/install
          extra_nix_config: |
@@ -1,3 +1,4 @@
 .Trash-1000/
 result
 result/
 .direnv/
@@ -7,3 +8,4 @@ logs/
 core*
 !core/
 !core.nix
 !coredns*
@@ -1,10 +1,21 @@
 [files]
 # Respect .ignore files.
 ignore-dot = true
 # Respect ignore files.
 ignore-files = true
-extend-exclude = ["themes/", "data/", "static-surprises/", "resources/"]
+# Typos-specific ignore globs (gitignore syntax).
 # NOTE: This setting is ignored when you pass the path directly on the command line, as cachix/git-hooks.nix does.
 # To ignore those files, you must also exclude those directories via git-hooks.hooks.typos.settings.exclude.
 extend-exclude = [
  "data/",
  "rime-data/",
 ]
 [default]
 # Check binary files as text.
 binary = false
 # Verify spelling in file names.
 check-filename = true
 # ignore some special identifiers(sha256, mac address, crypto keys, etc)
 extend-ignore-re = [
  "iterm2",
@@ -26,13 +26,13 @@ test:
 # Update all the flake inputs
 [group('nix')]
 up:
-  nix flake update
+  nix flake update --commit-lock-file
 # Update specific input
 # Usage: just upp nixpkgs
 [group('nix')]
 upp input:
-  nix flake update {{input}}
+  nix flake update {{input}} --commit-lock-file
 # List all generations of the system profile
 [group('nix')]
@@ -48,7 +48,10 @@ repl:
 # on darwin, you may need to switch to root user to run this command
 [group('nix')]
 clean:
  # Wipe out NixOS's history
  sudo nix profile wipe-history --profile /nix/var/nix/profiles/system  --older-than 7d
  # Wipe out home-manager's history
  nix profile wipe-history --profile $"($env.XDG_STATE_HOME)/nix/profiles/home-manager" --older-than 7d
 # Garbage collect all unused nix store entries
 [group('nix')]
@@ -74,7 +77,7 @@ shell:
 [group('nix')]
 fmt:
  # format the nix files in this repo
-  nix fmt
+  ls **/*.nix | each { |it| nixfmt $it.name }
 # Show all the auto gc roots in the nix store
 [group('nix')]
@@ -94,29 +97,44 @@ verify-store:
 repair-store *paths:
  nix store repair {{paths}}
 # Update all Nixpkgs inputs
 [group('nix')]
 up-nix:
  nix flake update nixpkgs nixpkgs-stable nixpkgs-unstable nixpkgs-darwin nixpkgs-ollama
 ############################################################################
 #
 #  NixOS Desktop related commands
 #
 ############################################################################
 # Deploy the nixosConfiguration by hostname match
 [linux]
 [group('homelab')]
 local mode="default":
  #!/usr/bin/env nu
  use {{utils_nu}} *;
  nixos-switch (hostname) {{mode}}
 # Deploy the hyprland nixosConfiguration by hostname match
 [linux]
 [group('desktop')]
 hypr mode="default":
  #!/usr/bin/env nu
  use {{utils_nu}} *;
-  nixos-switch ai-hyprland {{mode}}
+  nixos-switch $"(hostname)-hyprland" {{mode}}
 # Deploy the niri nixosConfiguration by hostname match
 [linux]
 [group('desktop')]
-s-hypr mode="default":
+niri mode="default":
  #!/usr/bin/env nu
  use {{utils_nu}} *;
-  nixos-switch shoukei-hyprland {{mode}}
+  nixos-switch $"(hostname)-niri" {{mode}}
 ############################################################################
 #
-#  Darwin related commands, harmonica is my macbook pro's hostname
+#  Darwin related commands
 #
 ############################################################################
@@ -133,32 +151,15 @@ darwin-rollback:
  use {{utils_nu}} *;
  darwin-rollback
-# Deploy to harmonica(macOS host)
+# Deploy the darwinConfiguration by hostname match
 [macos]
 [group('desktop')]
-ha mode="default":
+local mode="default": 
  #!/usr/bin/env nu
  use {{utils_nu}} *;
-  darwin-build "harmonica" {{mode}};
+  darwin-build (hostname) {{mode}};
-  darwin-switch "harmonica" {{mode}}
+  darwin-switch (hostname) {{mode}}
 # Depoly to fern(macOS host)
 [macos]
 [group('desktop')]
 fe mode="default": 
  #!/usr/bin/env nu
  use {{utils_nu}} *;
  darwin-build "fern" {{mode}};
  darwin-switch "fern" {{mode}}
 # Depoly to frieren(macOS host)
 [macos]
 [group('desktop')]
 fr mode="default": 
  #!/usr/bin/env nu
  use {{utils_nu}} *;
  darwin-build "frieren" {{mode}};
  darwin-switch "frieren" {{mode}}
 # Reset launchpad to force it to reindex Applications
 [macos]
@@ -179,13 +180,6 @@ reset-launchpad:
 col tag:
  colmena apply --on '@{{tag}}' --verbose --show-trace
 [linux]
 [group('homelab')]
 local name mode="default":
  #!/usr/bin/env nu
  use {{utils_nu}} *;
  nixos-switch {{name}} {{mode}}
 # Build and upload a vm image
 [linux]
 [group('homelab')]
@@ -205,37 +199,16 @@ lab:
 shoryu:
  colmena apply --on '@kubevirt-shoryu' --verbose --show-trace
 [linux]
 [group('homelab')]
 shoryu-local mode="default":
  #!/usr/bin/env nu
  use {{utils_nu}} *; 
  nixos-switch kubevirt-shoryu {{mode}}
 [linux]
 [group('homelab')]
 shushou:
  colmena apply --on '@kubevirt-shushou' --verbose --show-trace
 [linux]
 [group('homelab')]
 shushou-local mode="default":
  #!/usr/bin/env nu
  use {{utils_nu}} *; 
  nixos-switch kubevirt-shushou {{mode}}
 [linux]
 [group('homelab')]
 youko:
  colmena apply --on '@kubevirt-youko' --verbose --show-trace
 [linux]
 [group('homelab')]
 youko-local mode="default":
  #!/usr/bin/env nu
  use {{utils_nu}} *; 
  nixos-switch kubevirt-youko {{mode}}
 ############################################################################
 #
 # Commands for other Virtual Machines
@@ -257,37 +230,16 @@ upload-idols mode="default":
 aqua:
  colmena apply --on '@aqua' --verbose --show-trace
 [linux]
 [group('homelab')]
 aqua-local mode="default":
  #!/usr/bin/env nu
  use {{utils_nu}} *; 
  nixos-switch aquamarine {{mode}}
 [linux]
 [group('homelab')]
 ruby:
  colmena apply --on '@ruby' --verbose --show-trace
 [linux]
 [group('homelab')]
 ruby-local mode="default":
  #!/usr/bin/env nu
  use {{utils_nu}} *; 
  nixos-switch ruby {{mode}}
 [linux]
 [group('homelab')]
 kana:
  colmena apply --on '@kana' --verbose --show-trace
 [linux]
 [group('homelab')]
 kana-local mode="default":
  #!/usr/bin/env nu
  use {{utils_nu}} *; 
  nixos-switch kana {{mode}}
 ############################################################################
 #
 # Kubernetes related commands
@@ -375,3 +327,29 @@ list-failed:
 [group('services')]
 list-systemd:
  systemctl list-units systemd-*
 # =================================================
 #
 # Nixpkgs Review via Github Action
 # https://github.com/ryan4yin/nixpkgs-review-gha
 #
 # =================================================
 # Run nixpkgs-review for PR
 [linux]
 [group('nixpkgs')]
 pkg-review pr:
  gh workflow run review.yml --repo ryan4yin/nixpkgs-review-gha -f x86_64-darwin=no -f post-result=true -f pr={{pr}}
 # Run package tests for PR
 [linux]
 [group('nixpkgs')]
 pkg-test pr pname:
  gh workflow run review.yml --repo ryan4yin/nixpkgs-review-gha -f x86_64-darwin=no -f post-result=true -f pr={{pr}} -f extra-args="-p {{pname}}.passthru.tests"
 # View the summary of a workflow
 [linux]
 [group('nixpkgs')]
 pkg-summary:
  gh workflow view review.yml --repo ryan4yin/nixpkgs-review-gha
@@ -56,15 +56,15 @@ You don't have to go through the pain I've experienced again! Check out my
 |                             | NixOS(Wayland)                                                                                                      |
 | --------------------------- | ------------------------------------------------------------------------------------------------------------------- |
-| **Window Manager**          | [Hyprland][Hyprland]                                                                                                |
+| **Window Manager**          | [Hyprland][Hyprland] / [Niri][Niri]                                                                                 |
-| **Terminal Emulator**       | [Zellij][Zellij] + [Kitty][Kitty]                                                                                   |
+| **Terminal Emulator**       | [Zellij][Zellij] + [foot][foot]/[Kitty][Kitty]/[Alacritty][Alacritty]/[Ghostty][Ghostty]                            |
 | **Bar**                     | [Waybar][Waybar]                                                                                                    |
 | **Application Launcher**    | [anyrun][anyrun]                                                                                                    |
 | **Notification Daemon**     | [Mako][Mako]                                                                                                        |
-| **Display Manager**         | [GDM][GDM]                                                                                                          |
+| **Display Manager**         | [tuigreet][tuigreet]                                                                                                |
-| **Color Scheme**            | [Catppuccin][Catppuccin]                                                                                            |
+| **Color Scheme**            | [catppuccin-nix][catppuccin-nix]                                                                                    |
 | **network management tool** | [NetworkManager][NetworkManager]                                                                                    |
-| **Input method framework**  | [Fcitx5][Fcitx5]                                                                                                    |
+| **Input method framework**  | [Fcitx5][Fcitx5] + [rime][rime] + [小鹤音形 flypy][flypy]                                                           |
 | **System resource monitor** | [Btop][Btop]                                                                                                        |
 | **File Manager**            | [Yazi][Yazi] + [thunar][thunar]                                                                                     |
 | **Shell**                   | [Nushell][Nushell] + [Starship][Starship]                                                                           |
@@ -74,7 +74,7 @@ You don't have to go through the pain I've experienced again! Check out my
 | **Image Viewer**            | [imv][imv]                                                                                                          |
 | **Screenshot Software**     | [hyprshot][hyprshot]                                                                                                |
 | **Screen Recording**        | [OBS][OBS]                                                                                                          |
-| **Filesystem & Encryption** | tmpfs on `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] encrypted partition for persistent, unlock via passphrase |
+| **Filesystem & Encryption** | tmpfs as `/`, [Btrfs][Btrfs] subvolumes on a [LUKS][LUKS] encrypted partition for persistent, unlock via passphrase |
 | **Secure Boot**             | [lanzaboote][lanzaboote]                                                                                            |
 Wallpapers: https://github.com/ryan4yin/wallpapers
@@ -109,14 +109,16 @@ For NixOS:
 > To deploy this flake from NixOS's official ISO image (purest installation method), please refer to
 > [./nixos-installer/](./nixos-installer/)
 > Need to restart the machine when switching between `wayland` and `xorg`.
 ```bash
 # deploy one of the configuration based on the hostname
 sudo nixos-rebuild switch --flake .#ai-hyprland
 # deploy via `just`(a command runner with similar syntax to make) & Justfile
-just hypr  # deploy my pc with hyprland compositor
+# Deploy the hyprland nixosConfiguration by hostname match
 just hypr
 # Deploy the niri nixosConfiguration by hostname match
 just niri
 # or we can deploy with details
 just hypr debug
@@ -132,15 +134,11 @@ nix-shell -p just nushell
 # 3. comment home-manager's code in lib/macosSystem.nix to speed up the first deployment.
 # 4. comment out the proxy settings in scripts/darwin_set_proxy.py if the proxy is not ready yet.
-# 4. deploy harmonica's configuration(macOS Intel)
+# Deploy the darwinConfiguration by hostname match
-just ha
+just local
 # deploy fern's configuration(Apple Silicon)
 just fe
 # deploy with details
-just ha debug
+just local debug
 # just fe debug
 ```
 > [What y'all will need when Nix drives you to drink.](https://www.youtube.com/watch?v=Eni9PPPPBpg)
@@ -179,7 +177,11 @@ Other dotfiles that inspired me:
  - [1amSimp1e/dots](https://github.com/1amSimp1e/dots)
 [Hyprland]: https://github.com/hyprwm/Hyprland
 [Niri]: https://github.com/YaLTeR/niri
 [Kitty]: https://github.com/kovidgoyal/kitty
 [foot]: https://codeberg.org/dnkl/foot
 [Alacritty]: https://github.com/alacritty/alacritty
 [Ghostty]: https://github.com/ghostty-org/ghostty
 [Nushell]: https://github.com/nushell/nushell
 [Starship]: https://github.com/starship/starship
 [Waybar]: https://github.com/Alexays/Waybar
@@ -188,6 +190,8 @@ Other dotfiles that inspired me:
 [anyrun]: https://github.com/Kirottu/anyrun
 [Dunst]: https://github.com/dunst-project/dunst
 [Fcitx5]: https://github.com/fcitx/fcitx5
 [rime]: https://wiki.archlinux.org/title/Rime
 [flypy]: https://flypy.cc/
 [Btop]: https://github.com/aristocratos/btop
 [mpv]: https://github.com/mpv-player/mpv
 [Zellij]: https://github.com/zellij-org/zellij
@@ -198,10 +202,10 @@ Other dotfiles that inspired me:
 [OBS]: https://obsproject.com
 [Mako]: https://github.com/emersion/mako
 [Nerd fonts]: https://github.com/ryanoasis/nerd-fonts
-[catppuccin]: https://github.com/catppuccin/catppuccin
+[catppuccin-nix]: https://github.com/catppuccin/nix
 [NetworkManager]: https://wiki.gnome.org/Projects/NetworkManager
 [wl-clipboard]: https://github.com/bugaevc/wl-clipboard
-[GDM]: https://wiki.archlinux.org/title/GDM
+[tuigreet]: https://github.com/apognu/tuigreet
 [thunar]: https://gitlab.xfce.org/xfce/thunar
 [Yazi]: https://github.com/sxyazi/yazi
 [Catppuccin]: https://github.com/catppuccin/catppuccin
@@ -3,5 +3,21 @@
 This is my private Private Key Infrastructure (PKI) / Certificate Authority (CA) for my personal
 use. It is used to issue certificates for my own servers and services.
-All the private keys are ignored by git, and will be stored in my private secrets repo
+## Current Structure
-[../secrets](../secrets/)
+
 - **ecc-ca.crt** - ECC CA certificate file
 - **ecc-ca.srl** - CA serial number file for certificate tracking
 - **ecc-csr.conf** - OpenSSL configuration file for certificate signing requests
 - **ecc-server.crt** - Server certificate signed by the ECC CA
 - **gen-certs.sh** - Shell script to generate certificates automatically
 ## Security Notes
 All private keys (`.key` files) are ignored by git and stored in a private secrets repository. The
 public certificates and configuration files are committed to this repository for reference.
 ## Usage
 Run `./gen-certs.sh` to generate new certificates using the ECC CA configuration.
 See [../secrets](../secrets/) for the corresponding private key management.
@@ -16,14 +16,14 @@
  nixConfig = {
    # substituers will be appended to the default substituters when fetching packages
    extra-substituters = [
      "https://anyrun.cachix.org"
      # "https://nix-gaming.cachix.org"
      # "https://nixpkgs-wayland.cachix.org"
      # "https://install.determinate.systems"
    ];
    extra-trusted-public-keys = [
      "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
      # "nix-gaming.cachix.org-1:nbjlureqMbRAxR1gJ/f3hxemL9svXaZF/Ees8vCUUs4="
      # "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
      # "cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="
    ];
  };
@@ -41,6 +41,8 @@
    nixpkgs-ollama.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs-patched.url = "github:ryan4yin/nixpkgs/nixos-unstable-patched";
    # for macos
    # nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-25.05-darwin";
    nixpkgs-darwin.url = "github:nixos/nixpkgs/nixpkgs-unstable";
@@ -48,7 +50,6 @@
      url = "github:lnl7/nix-darwin";
      inputs.nixpkgs.follows = "nixpkgs-darwin";
    };
    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
    # home-manager, used for managing user configuration
    home-manager = {
@@ -61,18 +62,29 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    determinate.url = "https://flakehub.com/f/DeterminateSystems/determinate/*";
    # https://github.com/catppuccin/nix
    catppuccin = {
      url = "github:catppuccin/nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    lanzaboote = {
      url = "github:nix-community/lanzaboote/v0.4.2";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    impermanence.url = "github:nix-community/impermanence";
+    preservation = {
      url = "github:nix-community/preservation";
    };
    # community wayland nixpkgs
    # nixpkgs-wayland.url = "github:nix-community/nixpkgs-wayland";
    # anyrun - a wayland launcher
    anyrun = {
-      url = "github:Kirottu/anyrun";
+      url = "github:/anyrun-org/anyrun/v25.9.0";
      inputs.nixpkgs.follows = "nixpkgs";
    };
@@ -90,8 +102,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-gaming.url = "github:fufexan/nix-gaming";
    disko = {
      url = "github:nix-community/disko/v1.11.0";
      inputs.nixpkgs.follows = "nixpkgs";
@@ -99,11 +109,14 @@
    # add git hooks to format nix code before commit
    pre-commit-hooks = {
-      url = "github:cachix/pre-commit-hooks.nix";
+      url = "github:cachix/git-hooks.nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    nuenv.url = "github:DeterminateSystems/nuenv";
+    nuenv = {
      url = "github:DeterminateSystems/nuenv";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    haumea = {
      url = "github:nix-community/haumea/v0.2.2";
@@ -119,7 +132,29 @@
      url = "github:ghostty-org/ghostty";
    };
-    blender-bin.url = "github:edolstra/nix-warez?dir=blender";
+    blender-bin = {
      url = "github:edolstra/nix-warez?dir=blender";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixos-apple-silicon = {
      # 2025-08-25 asahi-6.15.10-3
      url = "github:nix-community/nixos-apple-silicon/b99bf9bf7445416fe55da09034fc4a6cd733805c";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    niri.url = "github:sodiboo/niri-flake";
    # -------------- Gaming ---------------------
    nix-gaming = {
      url = "github:fufexan/nix-gaming";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    aagl = {
      url = "github:ezKEa/aagl-gtk-on-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    ########################  Some non-flake repositories  #########################################
@@ -137,13 +172,21 @@
      flake = false;
    };
    my-asahi-firmware = {
      url = "git+ssh://git@github.com/ryan4yin/asahi-firmware.git?shallow=1";
      flake = false;
    };
    # my wallpapers
    wallpapers = {
      url = "github:ryan4yin/wallpapers";
      flake = false;
    };
-    nur-ryan4yin.url = "github:ryan4yin/nur-packages";
+    nur-ryan4yin = {
      url = "github:ryan4yin/nur-packages";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # for waydroid
    # nur-ataraxiasjel.url = "github:AtaraxiaSjel/nur";
@@ -12,16 +12,53 @@
  1. Accessing the network when they don't need to.
  1. Accessing hardware devices they don't need.
-## Current Status
+## Current Structure
-1. **System Level**:
+### 1. **System Level**
-   - [ ] AppArmor
+
-   - [ ] Kernel & System Hardening
+- **AppArmor** (`apparmor/`): AppArmor profiles and configuration
-1. **Per-App Level**:
+- **Kernel & System Hardening** (`profiles/`): System-wide hardening profiles
-   - Nixpak (Bubblewrap)
+
-     - [x] QQ
+### 2. **Per-App Level**
-     - [x] Firefox
+
-   - [ ] Firejail (risk? not enabled yet)
+- **Nixpak** (`nixpaks/`): Bubblewrap-based sandboxing for applications
  - Firefox configuration
  - QQ (Chinese messaging app) configuration
  - Modular system with reusable components
 - **Firejail** (legacy): SUID-based sandboxing (not used)
 - **Bubblewrap** (`bwraps/`): Direct bubblewrap configurations
  - WeChat sandboxing configuration
 ## Current Implementation Status
 | Component         | Status    | Notes                          |
 | ----------------- | --------- | ------------------------------ |
 | AppArmor Profiles | 🚧 WIP    | Basic structure in place       |
 | Nixpak Firefox    | ✅ Active | Firefox sandboxing via nixpak  |
 | Nixpak QQ         | ✅ Active | QQ application sandboxing      |
 | Bubblewrap WeChat | ✅ Active | WeChat specific sandboxing     |
 | System Profiles   | 🚧 WIP    | Hardened system configurations |
 ## Directory Structure
 ```
 hardening/
 ├── README.md
 ├── apparmor/           # AppArmor security profiles
 │   └── default.nix
 ├── bwraps/            # Direct bubblewrap configurations
 │   ├── default.nix
 │   └── wechat.nix
 ├── nixpaks/           # Nixpak application sandboxing
 │   ├── default.nix
 │   ├── firefox.nix
 │   ├── qq.nix
 │   └── modules/       # Reusable nixpak modules
 │       ├── gui-base.nix
 │       └── network.nix
 └── profiles/          # System hardening profiles
    └── default.nix
 ```
 ## Kernel Hardening
@@ -32,26 +69,27 @@
 - NixOS Profile:
  https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/profiles/hardened.nix
- Apparmor: [roddhjav/apparmor.d)](https://github.com/roddhjav/apparmor.d)
+- Apparmor: [roddhjav/apparmor.d](https://github.com/roddhjav/apparmor.d)
  - https://gitlab.com/apparmor/apparmor/-/wikis/Documentation
  - AppArmor.d is a set of over 1500 AppArmor profiles whose aim is to confine most Linux based
    applications and processes.
-  - Nix Package:
+  - But all the profiles of AppArmor assume a FHS filesystem, which caused all apparmor policies
-    [roddhjav-apparmor-rules](https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/ro/roddhjav-apparmor-rules/package.nix#L33)
+    takes no effect on NixOS.
-  - https://github.com/NixOS/nixpkgs/issues/331645
+  - Apparmor on NixOS Roadmap:
    - https://discourse.nixos.org/t/apparmor-on-nixos-roadmap/57217
    - https://github.com/LordGrimmauld/aa-alias-manager
 - SELinux: too complex, not recommended for personal use.
 ## Application Sandboxing
 - [Bubblewrap](https://github.com/containers/bubblewrap):
  [nixpak](https://github.com/nixpak/nixpak), more secure than firejail, but no batteries included.
  - NixOS's FHSEnv is implemented using bubblewrap by default.
 - [Firejail](https://github.com/netblue30/firejail/tree/master/etc): A SUID security sandbox with
  hundreds of security profiles for many common applications in the default installation.
  - https://wiki.nixos.org/wiki/Firejail
  - Firejail needs SUID to work, which is considered a security risk -
    [Does firejail improve the security of my system?](https://github.com/netblue30/firejail/discussions/4601)
 - [Bubblewrap](https://github.com/containers/bubblewrap):
  [nixpak](https://github.com/nixpak/nixpak), more secure than firejail, but no batteries included.
  - NixOS's FHSEnv is implemented using bubblewrap by default.
 - [Systemd/Hardening](https://wiki.nixos.org/wiki/Systemd/Hardening): Systemd also provides some
  sandboxing features.
@@ -67,21 +105,11 @@ provide a much higher level of security.
 - [Harden your NixOS workstation - dataswamp](https://dataswamp.org/~solene/2022-01-13-nixos-hardened.html)
 - [Linux Insecurities - Madaidans](https://madaidans-insecurities.github.io/linux.html)
 - [Sandboxing all programs by default - NixOS Discourse](https://discourse.nixos.org/t/sandboxing-all-programs-by-default/7792)
 - [在 Firejail 中运行 Steam](https://imbearchild.cyou/archives/2021/11/steam-in-firejail/)
 - [Firejail - Arch Linux Wiki](https://wiki.archlinux.org/title/Firejail)
 - [Paranoid NixOS Setup - xeiaso](https://xeiaso.net/blog/paranoid-nixos-2021-07-18/)
 - [nix-mineral](https://github.com/cynicsketch/nix-mineral): NixOS module for convenient system
  hardening.
 - nixpak configs:
  - https://github.com/pokon548/OysterOS/tree/b97604d89953373d6316286b96f6a964af2c398d/desktop/application
  - https://github.com/segment-tree/my-nixos/tree/ceb6041f73bd9edcb78a8818b27a28f7c629193b/hm/me/apps/nixpak
  - https://github.com/Keksgesicht/nixos-config/tree/91cc77d8d6b598da7c4dbed143e0009c2dea6940/packages/nixpak
  - https://github.com/bluskript/nix-config/blob/7ecb6a7254c1ac4969072f4c4febdc19f8b83b30/pkgs/nixpak/default.nix
 - firejail configs:
  - https://github.com/stelcodes/nixos-config/blob/f8967c82a5e5f3d128eb1aaf7498b5f918f719ec/packages/overlay.nix#L261
 - apparmor configs:
  - https://github.com/sukhmancs/nixos-configs/blob/7fcf737c506ad843113cd5b94796b49d4d4dfad2/modules/shared/security/apparmor/default.nix#L8
  - https://github.com/zramctl/dotfiles/blob/4fe177f6984154960942bb47d5a375098ec6ed6a/modules/nixos/security/apparmor.nix#L4
  - https://git.grimmauld.de/Grimmauld/grimm-nixos-laptop/src/branch/main/hardening
 - Others:
  - Directly via `buildFHSUserEnvBubblewrap`:
    https://github.com/xddxdd/nur-packages/blob/master/pkgs/uncategorized/wechat-uos/default.nix
@@ -2,7 +2,8 @@
  config,
  pkgs,
  ...
-}: {
+}:
 {
  services.dbus.apparmor = "enabled";
  security.apparmor = {
    enable = true;
@@ -0,0 +1,9 @@
 {
  nixpkgs.overlays = [
    (_: super: {
      bwraps = {
        wechat = super.callPackage ./wechat.nix { };
      };
    })
  ];
 }
@@ -0,0 +1,99 @@
 # - wechat's flatpak manifest: https://github.com/flathub/com.tencent.WeChat/blob/master/com.tencent.WeChat.yaml
 # Refer:
 # - Flatpak manifest's docs:
 #   - https://docs.flatpak.org/en/latest/manifests.html
 #   - https://docs.flatpak.org/en/latest/sandbox-permissions.html
 #
 # TODO Since appimageTools.wrapAppImage do not support overriding, I have to pack this package myself.
 # https://github.com/NixOS/nixpkgs/pull/358977
 {
  appimageTools,
  fetchurl,
  stdenvNoCC,
 }:
 let
  pname = "wechat";
  # https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/we/wechat/package.nix
  sources = {
    aarch64-linux = {
      version = "4.0.1.11";
      src = fetchurl {
        url = "https://web.archive.org/web/20250512112413if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_arm64.AppImage";
        hash = "sha256-Rg+FWNgOPC02ILUskQqQmlz1qNb9AMdvLcRWv7NQhGk=";
      };
    };
    x86_64-linux = {
      version = "4.0.1.11";
      src = fetchurl {
        url = "https://web.archive.org/web/20250512110825if_/https://dldir1v6.qq.com/weixin/Universal/Linux/WeChatLinux_x86_64.AppImage";
        hash = "sha256-gBWcNQ1o1AZfNsmu1Vi1Kilqv3YbR+wqOod4XYAeVKo=";
      };
    };
  };
  inherit (stdenvNoCC.hostPlatform) system;
  inherit (sources.${system} or (throw "Unsupported system: ${system}")) version src;
  # https://github.com/NixOS/nixpkgs/blob/master/pkgs/by-name/we/wechat/linux.nix
  appimageContents = appimageTools.extract {
    inherit pname version src;
    postExtract = ''
      patchelf --replace-needed libtiff.so.5 libtiff.so $out/opt/wechat/wechat
    '';
  };
 in
 appimageTools.wrapAppImage {
  inherit pname version;
  src = appimageContents;
  extraInstallCommands = ''
    mkdir -p $out/share/applications
    cp ${appimageContents}/wechat.desktop $out/share/applications/
    mkdir -p $out/share/pixmaps
    cp ${appimageContents}/wechat.png $out/share/pixmaps/
    substituteInPlace $out/share/applications/wechat.desktop --replace-fail AppRun wechat
  '';
  # Add these root paths to FHS sandbox to prevent WeChat from accessing them by default
  # Adapted from https://aur.archlinux.org/cgit/aur.git/tree/wechat-universal.sh?h=wechat-universal-bwrap
  extraPreBwrapCmds = ''
    XDG_DOCUMENTS_DIR="''${XDG_DOCUMENTS_DIR:-$(xdg-user-dir DOCUMENTS)}"
    if [[ -z "''${XDG_DOCUMENTS_DIR}" ]]; then
        echo 'Error: Failed to get XDG_DOCUMENTS_DIR, refuse to continue'
        exit 1
    fi
    WECHAT_DATA_DIR="''${XDG_DOCUMENTS_DIR}/WeChat_Data"
    # Using ''${WECHAT_DATA_DIR} as Wechat Data folder
    WECHAT_HOME_DIR="''${WECHAT_DATA_DIR}/home"
    WECHAT_FILES_DIR="''${WECHAT_DATA_DIR}/xwechat_files"
    mkdir -p "''${WECHAT_FILES_DIR}"
    mkdir -p "''${WECHAT_HOME_DIR}"
    ln -snf "''${WECHAT_FILES_DIR}" "''${WECHAT_HOME_DIR}/xwechat_files"
  '';
  extraBwrapArgs = [
    "--tmpfs /home"
    "--tmpfs /root"
    # format: --bind <host-path> <sandbox-path>
    "--bind \${WECHAT_HOME_DIR} \${HOME}"
    "--bind \${WECHAT_FILES_DIR} \${WECHAT_FILES_DIR}"
    "--chdir \${HOME}"
    # wechat-universal only supports xcb
    "--setenv QT_QPA_PLATFORM xcb"
    "--setenv QT_AUTO_SCREEN_SCALE_FACTOR 1"
    # use fcitx as IME
    "--setenv QT_IM_MODULE fcitx"
    "--setenv GTK_IM_MODULE fcitx"
  ];
  chdirToPwd = false;
  unshareNet = false;
  unshareIpc = true;
  unsharePid = true;
  unshareUts = true;
  unshareCgroup = true;
  privateTmp = true;
 }
@@ -1,71 +0,0 @@
 {pkgs, ...}: let
  firejailWrapper = import ./firejailWrapper.nix pkgs;
 in {
  programs.firejail.enable = true;
  # Add firejailed Apps into nixsuper, and reference them in home-manager or other nixos modules
  nixpkgs.overlays = [
    (_: super: {
      firejailed = {
        steam = firejailWrapper {
          name = "steam-firejailed";
          executable = "${super.steam}/bin/steam";
          profile = "${super.firejail}/etc/firejail/steam.profile";
        };
        steam-run = firejailWrapper {
          name = "steam-run-firejailed";
          executable = "${super.steam}/bin/steam-run";
          profile = "${super.firejail}/etc/firejail/steam.profile";
        };
        # firefox = firejailWrapper {
        #   name = "firefox-firejailed";
        #   executable = "${super.lib.getBin super.firefox-wayland}/bin/firefox";
        #   profile = "${super.firejail}/etc/firejail/firefox.profile";
        # };
        # chromium = firejailWrapper {
        #   name = "chromium-firejailed";
        #   executable = "${super.lib.getBin super.ungoogled-chromium}/bin/chromium";
        #   profile = "${super.firejail}/etc/firejail/chromium.profile";
        # };
        mpv = firejailWrapper {
          executable = "${super.lib.getBin super.mpv}/bin/mpv";
          profile = "${super.firejail}/etc/firejail/mpv.profile";
        };
        imv = firejailWrapper {
          executable = "${super.lib.getBin super.imv}/bin/imv";
          profile = "${super.firejail}/etc/firejail/imv.profile";
        };
        zathura = firejailWrapper {
          executable = "${super.lib.getBin super.zathura}/bin/zathura";
          profile = "${super.firejail}/etc/firejail/zathura.profile";
        };
        slack = firejailWrapper {
          executable = "${super.lib.getBin super.slack}/bin/slack";
          profile = "${super.firejail}/etc/firejail/slack.profile";
        };
        telegram-desktop = firejailWrapper {
          executable = "${super.lib.getBin super.tdesktop}/bin/telegram-desktop";
          profile = "${super.firejail}/etc/firejail/telegram-desktop.profile";
        };
        brave = firejailWrapper {
          executable = "${super.lib.getBin super.brave}/bin/brave";
          profile = "${super.firejail}/etc/firejail/brave.profile";
        };
        qutebrowser = firejailWrapper {
          executable = "${super.lib.getBin super.qutebrowser}/bin/qutebrowser";
          profile = "${super.firejail}/etc/firejail/qutebrowser.profile";
        };
        thunar = firejailWrapper {
          executable = "${super.lib.getBin super.xfce.thunar}/bin/thunar";
          profile = "${super.firejail}/etc/firejail/thunar.profile";
        };
        vscodium = firejailWrapper {
          executable = "${super.lib.getBin super.vscodium}/bin/vscodium";
          profile = "${super.firejail}/etc/firejail/vscodium.profile";
        };
      };
    })
  ];
 }
@@ -1,35 +0,0 @@
 # https://www.reddit.com/r/NixOS/comments/1b56jdx/simple_nix_function_for_wrapping_executables_with/
 pkgs: {
  name ? "firejail-wrapper",
  executable,
  desktop ? null,
  profile ? null,
  extraArgs ? [],
 }:
 pkgs.runCommand name
 {
  preferLocalBuild = true;
  allowSubstitutes = false;
  meta.priority = -1; # take precedence over non-firejailed versions
 }
 (
  let
    firejailArgs = pkgs.lib.concatStringsSep " " (
      extraArgs ++ (pkgs.lib.optional (profile != null) "--profile=${toString profile}")
    );
  in
    ''
      command_path="$out/bin/$(basename ${executable})-jailed"
      mkdir -p $out/bin
      mkdir -p $out/share/applications
      cat <<'_EOF' >"$command_path"
      #! ${pkgs.runtimeShell} -e
      exec /run/wrappers/bin/firejail ${firejailArgs} -- ${toString executable} "\$@"
      _EOF
      chmod 0755 "$command_path"
    ''
    + pkgs.lib.optionalString (desktop != null) ''
      substitute ${desktop} $out/share/applications/$(basename ${desktop}) \
        --replace ${executable} "$command_path"
    ''
 )
@@ -1,8 +1,10 @@
 {
  pkgs,
  pkgs-patched,
  nixpak,
  ...
-}: let
+}:
 let
  callArgs = {
    mkNixPak = nixpak.lib.nixpak {
      inherit (pkgs) lib;
@@ -13,20 +15,17 @@
      (sloth.concat' sloth.homeDir mapdir)
    ];
  };
-  wrapper = _pkgs: path: (_pkgs.callPackage path callArgs).config.script;
+  wrapper = _pkgs: path: (_pkgs.callPackage path callArgs);
-in {
+in
 {
  # Add nixpaked Apps into nixpkgs, and reference them in home-manager or other nixos modules
  nixpkgs.overlays = [
    (_: super: {
      nixpaks = {
-        qq = wrapper super ./qq.nix;
+        qq = wrapper pkgs-patched ./qq.nix;
-        qq-desktop-item = super.callPackage ./qq-desktop-item.nix {};
+        wechat = wrapper super ./wechat.nix;
-
+        telegram-desktop = wrapper super ./telegram-desktop.nix;
        wechat-uos = wrapper super ./wechat-uos.nix;
        wechat-uos-desktop-item = super.callPackage ./wechat-uos-desktop-item.nix {};
        firefox = wrapper super ./firefox.nix;
        firefox-desktop-item = super.callPackage ./firefox-desktop-item.nix {};
      };
    })
  ];
@@ -1,11 +0,0 @@
 {makeDesktopItem}:
 makeDesktopItem {
  name = "firefox";
  desktopName = "firefox";
  exec = "firefox %U";
  terminal = false;
  icon = "firefox";
  type = "Application";
  categories = ["Network"];
  comment = "firefox boxed";
 }
@@ -5,25 +5,33 @@
 # - Firefox's flatpak manifest: https://hg.mozilla.org/mozilla-central/file/tip/taskcluster/docker/firefox-flatpak/runme.sh#l151
 {
  lib,
-  pkgs,
+  firefox-wayland,
  mkNixPak,
  buildEnv,
  makeDesktopItem,
  ...
 }:
-mkNixPak {
+
-  config = {
+let
  appId = "org.mozilla.firefox";
  wrapped = mkNixPak {
    config =
      {
        config,
        sloth,
        ...
-  }: {
+      }:
      {
        app = {
-      package = pkgs.firefox-wayland;
+          package = firefox-wayland;
          binPath = "bin/firefox";
        };
-    flatpak.appId = "org.mozilla.firefox";
+        flatpak.appId = appId;
        imports = [
          ./modules/gui-base.nix
          ./modules/network.nix
          ./modules/common.nix
        ];
        # list all dbus services:
@@ -33,11 +41,15 @@ mkNixPak {
          "org.mozilla.firefox.*" = "own"; # firefox
          "org.mozilla.firefox_beta.*" = "own"; # firefox beta
          "org.mpris.MediaPlayer2.firefox.*" = "own";
-      "org.freedesktop.NetworkManager" = "talk";
+
          "org.gnome.Shell.Screencast" = "talk";
          # System tray icon
          "org.freedesktop.Notifications" = "talk";
          "org.kde.StatusNotifierWatcher" = "talk";
        };
        bubblewrap = {
-      # To trace all the home files QQ accesses, you can use the following nushell command:
+          # To trace all the home files Firefox accesses, you can use the following nushell command:
          #   just trace-access firefox
          # See the Justfile in the root of this repository for more information.
          bind.rw = [
@@ -45,16 +57,23 @@ mkNixPak {
            # NOTE: sloth.mkdir is used to create the directory if it does not exist!
            (sloth.mkdir (sloth.concat' sloth.homeDir "/.mozilla"))
        # ================ for externsions ===============================
        # required by https://github.com/browserpass/browserpass-extension
        (sloth.concat' sloth.homeDir "/.local/share/password-store") # pass
        sloth.xdgDownloadDir
            sloth.xdgDocumentsDir
            sloth.xdgDownloadDir
            sloth.xdgMusicDir
            sloth.xdgVideosDir
          ];
          bind.ro = [
        # To actually make Firefox run
            "/sys/bus/pci"
-        ["${config.app.package}/lib/firefox" "/app/etc/firefox"]
+            [
              "${config.app.package}/lib/firefox"
              "/app/etc/firefox"
            ]
            # ================ for browserpass extension ===============================
            "/etc/gnupg"
            (sloth.concat' sloth.homeDir "/.gnupg") # gpg's config
            (sloth.concat' sloth.homeDir "/.local/share/password-store") # my secrets
            (sloth.concat' sloth.runtimeDir "/gnupg") # for access gpg-agent socket
            # Unsure
            (sloth.concat' sloth.xdgConfigHome "/dconf")
@@ -65,12 +84,57 @@ mkNixPak {
            wayland = true;
            pipewire = true;
          };
      bind.dev = [
        "/dev/shm" # Shared Memory
      ];
      tmpfs = [
        "/tmp"
      ];
        };
      };
  };
  exePath = lib.getExe wrapped.config.script;
 in
 buildEnv {
  inherit (wrapped.config.script) name meta passthru;
  paths = [
    wrapped.config.script
    (makeDesktopItem {
      name = appId;
      desktopName = "Firefox";
      genericName = "Firefox Boxed";
      comment = "Firefox Browser";
      exec = "${exePath} %U";
      terminal = false;
      icon = "firefox";
      startupNotify = true;
      startupWMClass = "firefox";
      type = "Application";
      categories = [
        "Network"
        "WebBrowser"
      ];
      mimeTypes = [
        "text/html"
        "text/xml"
        "application/xhtml+xml"
        "application/vnd.mozilla.xul+xml"
        "x-scheme-handler/http"
        "x-scheme-handler/https"
      ];
      actions = {
        new-private-window = {
          name = "New Private Window";
          exec = "${exePath} --private-window %U";
        };
        new-window = {
          name = "New Window";
          exec = "${exePath} --new-window %U";
        };
        profile-manager-window = {
          name = "Profile Manager";
          exec = "${exePath} --ProfileManager";
        };
      };
      extraConfig = {
        X-Flatpak = appId;
      };
    })
  ];
 }
@@ -0,0 +1,236 @@
 {
  lib,
  pkgs,
  sloth,
  config,
  ...
 }:
 {
  config = {
    dbus =
      let
        inherit (config.flatpak) appId;
      in
      {
        policies = {
          "${appId}" = "own";
          "${appId}.*" = "own";
          "org.freedesktop.DBus" = "talk";
          "org.gtk.vfs.*" = "talk";
          "org.gtk.vfs" = "talk";
          "ca.desrt.dconf" = "talk";
          "org.freedesktop.portal.*" = "talk";
          "org.a11y.Bus" = "talk";
          "org.freedesktop.appearance" = "talk";
          "org.freedesktop.appearance.*" = "talk";
        }
        // (builtins.listToAttrs (
          map (id: lib.nameValuePair "org.kde.StatusNotifierItem-${toString id}-1" "own") (
            lib.lists.range 2 11
          )
        ))
        // {
          # --- MPRIS Media Control ---
          # Allows the app to register as a media player. These are derived from the appID.
          "org.mpris.MediaPlayer2.${appId}" = "own";
          "org.mpris.MediaPlayer2.${appId}.*" = "own";
          "org.mpris.MediaPlayer2.${lib.lists.last (lib.strings.splitString "." appId)}" = "own";
          "org.mpris.MediaPlayer2.${lib.lists.last (lib.strings.splitString "." appId)}.*" = "own";
          # Conditionally allows a custom, friendlier MPRIS name if 'mprisName' is set.
          #       "org.mpris.MediaPlayer2.${mprisName}" = "own";
          #       "org.mpris.MediaPlayer2.${mprisName}.*" = "own";
          # --- General Desktop Integration ---
          "com.canonical.AppMenu.Registrar" = "talk"; # For Ubuntu AppMenu
          "org.freedesktop.FileManager1" = "talk";
          "org.freedesktop.Notifications" = "talk";
          # --- Accessibility (a11y) ---
          "org.a11y.Bus" = "see";
          # --- Portal Access ---
          "org.freedesktop.portal.Documents" = "talk";
          "org.freedesktop.portal.FileTransfer" = "talk";
          "org.freedesktop.portal.FileTransfer.*" = "talk";
          "org.freedesktop.portal.Notification" = "talk";
          "org.freedesktop.portal.OpenURI" = "talk";
          "org.freedesktop.portal.OpenURI.OpenFile" = "talk";
          "org.freedesktop.portal.OpenURI.OpenURI" = "talk";
          "org.freedesktop.portal.Print" = "talk";
          "org.freedesktop.portal.Request" = "see";
          # --- Input Method Portals ---
          "org.freedesktop.portal.Fcitx" = "talk";
          "org.freedesktop.portal.Fcitx.*" = "talk";
          "org.freedesktop.portal.IBus" = "talk";
          "org.freedesktop.portal.IBus.*" = "talk";
        };
        rules = {
          # 'call' rules permit specific method calls on D-Bus interfaces.
          call = {
            # --- Accessibility ---
            "org.a11y.Bus" = [
              "org.a11y.Bus.GetAddress@/org/a11y/bus"
              "org.freedesktop.DBus.Properties.Get@/org/a11y/bus"
            ];
            # --- General Portal Rules ---
            "org.freedesktop.FileManager1" = [ "*" ];
            "org.freedesktop.Notifications.*" = [ "*" ];
            "org.freedesktop.portal.Documents" = [ "*" ];
            "org.freedesktop.portal.FileTransfer" = [ "*" ];
            "org.freedesktop.portal.FileTransfer.*" = [ "*" ];
            "org.freedesktop.portal.Fcitx" = [ "*" ];
            "org.freedesktop.portal.Fcitx.*" = [ "*" ];
            "org.freedesktop.portal.IBus" = [ "*" ];
            "org.freedesktop.portal.IBus.*" = [ "*" ];
            "org.freedesktop.portal.Notification" = [ "*" ];
            "org.freedesktop.portal.OpenURI" = [ "*" ];
            "org.freedesktop.portal.OpenURI.OpenFile" = [ "*" ];
            "org.freedesktop.portal.OpenURI.OpenURI" = [ "*" ];
            "org.freedesktop.portal.Print" = [ "*" ];
            "org.freedesktop.portal.Request" = [ "*" ];
            # --- Main Desktop Portal Interface ---
            # A comprehensive list of permissions for interacting with the desktop environment.
            "org.freedesktop.portal.Desktop" = [
              # Device Access
              "org.freedesktop.portal.Camera"
              "org.freedesktop.portal.Camera.*"
              "org.freedesktop.portal.Usb"
              "org.freedesktop.portal.Usb.*"
              # File Chooser & Documents
              "org.freedesktop.portal.Documents"
              "org.freedesktop.portal.Documents.*"
              "org.freedesktop.portal.FileChooser"
              "org.freedesktop.portal.FileChooser.*"
              "org.freedesktop.portal.FileTransfer"
              "org.freedesktop.portal.FileTransfer.*"
              # Input Methods
              "org.freedesktop.portal.Fcitx"
              "org.freedesktop.portal.Fcitx.*"
              "org.freedesktop.portal.IBus"
              "org.freedesktop.portal.IBus.*"
              # Notifications & Printing
              "org.freedesktop.portal.Notification"
              "org.freedesktop.portal.Notification.*"
              "org.freedesktop.portal.Print"
              "org.freedesktop.portal.Print.*"
              # Open/Launch Handlers
              "org.freedesktop.portal.Email.ComposeEmail"
              "org.freedesktop.portal.OpenURI"
              "org.freedesktop.portal.OpenURI.*"
              # Properties & Session Management
              "org.freedesktop.DBus.Properties.GetAll"
              "org.freedesktop.DBus.Properties.Get@/org/freedesktop/portal/desktop"
              "org.freedesktop.portal.Session.Close"
              # Screen Capture & Sharing
              "org.freedesktop.portal.RemoteDesktop"
              "org.freedesktop.portal.RemoteDesktop.*"
              "org.freedesktop.portal.ScreenCast"
              "org.freedesktop.portal.ScreenCast.*"
              "org.freedesktop.portal.Screenshot"
              "org.freedesktop.portal.Screenshot.Screenshot"
              # Secrets (Keyring)
              "org.freedesktop.portal.Secret"
              "org.freedesktop.portal.Secret.RetrieveSecret"
              # Settings
              "org.freedesktop.portal.Settings.Read"
              "org.freedesktop.portal.Settings.ReadAll"
              # System Information
              "org.freedesktop.portal.Account.GetUserInformation"
              "org.freedesktop.portal.NetworkMonitor"
              "org.freedesktop.portal.NetworkMonitor.*"
              "org.freedesktop.portal.ProxyResolver.Lookup"
              "org.freedesktop.portal.ProxyResolver.Lookup.*"
              # Generic Request Fallback
              "org.freedesktop.portal.Request"
              # --- Conditional Portal Rules ---
              # These would be enabled based on config flags in a real implementation.
              # Enabled if 'allowGlobalShortcuts = true'
              "org.freedesktop.portal.GlobalShortcuts"
              "org.freedesktop.portal.GlobalShortcuts.*"
              # Enabled if 'allowInhibit = true'
              "org.freedesktop.portal.Inhibit"
              "org.freedesktop.portal.Inhibit.*"
              # Enabled if 'XDG_CURRENT_DESKTOP = "GNOME"'
              "org.freedesktop.portal.Location"
              "org.freedesktop.portal.Location.*"
            ];
          };
          # 'broadcast' rules permit receiving signals from D-Bus names.
          broadcast = {
            "org.freedesktop.portal.*" = [ "@/org/freedesktop/portal/*" ];
          };
        };
        args = [
          "--filter"
          "--sloppy-names"
          "--log"
        ];
      };
    etc.sslCertificates.enable = true;
    bubblewrap = {
      network = lib.mkDefault true;
      sockets = {
        wayland = true;
        pulse = true;
      };
      bind.rw = with sloth; [
        [
          (mkdir appDataDir)
          xdgDataHome
        ]
        [
          (mkdir appConfigDir)
          xdgConfigHome
        ]
        [
          (mkdir appCacheDir)
          xdgCacheHome
        ]
        (sloth.concat [
          sloth.runtimeDir
          "/"
          (sloth.envOr "WAYLAND_DISPLAY" "no")
        ])
        (sloth.concat' sloth.runtimeDir "/at-spi/bus")
        (sloth.concat' sloth.runtimeDir "/gvfsd")
        (sloth.concat' sloth.runtimeDir "/dconf")
        (sloth.concat' sloth.xdgCacheHome "/fontconfig")
        (sloth.concat' sloth.xdgCacheHome "/mesa_shader_cache")
        (sloth.concat' sloth.xdgCacheHome "/mesa_shader_cache_db")
        (sloth.concat' sloth.xdgCacheHome "/radv_builtin_shaders")
      ];
      bind.ro = [
        (sloth.concat' sloth.runtimeDir "/doc")
        (sloth.concat' sloth.xdgConfigHome "/kdeglobals")
        (sloth.concat' sloth.xdgConfigHome "/gtk-2.0")
        (sloth.concat' sloth.xdgConfigHome "/gtk-3.0")
        (sloth.concat' sloth.xdgConfigHome "/gtk-4.0")
        (sloth.concat' sloth.xdgConfigHome "/fontconfig")
        (sloth.concat' sloth.xdgConfigHome "/dconf")
      ];
      bind.dev = [ "/dev/shm" ] ++ (map (id: "/dev/video${toString id}") (lib.lists.range 0 9));
    };
  };
 }
@@ -5,21 +5,18 @@
  pkgs,
  sloth,
  ...
-}: let
+}:
 let
  envSuffix = envKey: suffix: sloth.concat' (sloth.env envKey) suffix;
  # cursor & icon's theme should be the same as the host's one.
  cursorTheme = pkgs.bibata-cursors;
  iconTheme = pkgs.papirus-icon-theme;
-in {
+in
 {
  config = {
    dbus.policies = {
      "${config.flatpak.appId}" = "own";
-      "org.freedesktop.DBus" = "talk";
+      # we add other policies in ./common.nix
      "org.gtk.vfs.*" = "talk";
      "org.gtk.vfs" = "talk";
      "ca.desrt.dconf" = "talk";
      "org.freedesktop.portal.*" = "talk";
      "org.a11y.Bus" = "talk";
    };
    # https://github.com/nixpak/nixpak/blob/master/modules/gpu.nix
    # 1. bind readonly - /run/opengl-driver
@@ -64,14 +61,16 @@ in {
        (sloth.concat' sloth.xdgConfigHome "/fontconfig")
        "/etc/fonts" # for fontconfig
-        "/etc/machine-id"
+        "/etc/localtime" # this is a symlink to /etc/zoneinfo/xxx
-        "/etc/localtime"
+        "/etc/zoneinfo"
        # Fix: libEGL warning: egl: failed to create dri2 screen
        "/etc/egl"
        "/etc/static/egl"
      ];
      bind.dev = [
        "/dev/shm" # Shared Memory
        # seems required when using nvidia as primary gpu
        "/dev/nvidia0"
        "/dev/nvidiactl"
@@ -79,16 +78,24 @@ in {
        "/dev/nvidia-uvm"
      ];
      tmpfs = [
        "/tmp"
      ];
      env = {
-        XDG_DATA_DIRS = lib.mkForce (lib.makeSearchPath "share" [
+        XDG_DATA_DIRS = lib.mkForce (
          lib.makeSearchPath "share" [
            iconTheme
            cursorTheme
            pkgs.shared-mime-info
-        ]);
+          ]
-        XCURSOR_PATH = lib.mkForce (lib.concatStringsSep ":" [
+        );
        XCURSOR_PATH = lib.mkForce (
          lib.concatStringsSep ":" [
            "${cursorTheme}/share/icons"
            "${cursorTheme}/share/pixmaps"
-        ]);
+          ]
        );
      };
    };
  };
@@ -2,7 +2,7 @@
 {
  etc.sslCertificates.enable = true;
  bubblewrap = {
-    bind.ro = ["/etc/resolv.conf"];
+    bind.ro = [ "/etc/resolv.conf" ];
    network = true;
  };
 }
@@ -1,17 +0,0 @@
 {
  makeDesktopItem,
  qq,
 }:
 makeDesktopItem {
  name = "qq";
  desktopName = "QQ";
  exec = "qq %U";
  terminal = false;
  # To find the icon name(nushell):
  #   let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#qq.outPath | str trim --char '"'
  #   tree $"($p)/share/icons"
  icon = "${qq}/share/icons/hicolor/512x512/apps/qq.png";
  type = "Application";
  categories = ["Network"];
  comment = "QQ boxed";
 }
@@ -5,24 +5,30 @@
 # - QQ's flatpak manifest: https://github.com/flathub/com.qq.QQ/blob/master/com.qq.QQ.yaml
 {
  lib,
-  pkgs,
+  qq,
  mkNixPak,
  buildEnv,
  makeDesktopItem,
  ...
 }:
-mkNixPak {
+
-  config = {sloth, ...}: {
+let
  appId = "com.qq.QQ";
  wrapped = mkNixPak {
    config =
      { sloth, ... }:
      {
        app = {
-      package = pkgs.qq.override {
+          package = qq;
        # fix fcitx5 input method
        commandLineArgs = lib.concatStringsSep " " ["--enable-wayland-ime"];
      };
          binPath = "bin/qq";
        };
-    flatpak.appId = "com.tencent.qq";
+        flatpak.appId = appId;
        imports = [
          ./modules/gui-base.nix
          ./modules/network.nix
          ./modules/common.nix
        ];
        # list all dbus services:
@@ -30,31 +36,56 @@ mkNixPak {
        #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
        dbus.policies = {
          "org.gnome.Shell.Screencast" = "talk";
          # System tray icon
          "org.freedesktop.Notifications" = "talk";
          "org.kde.StatusNotifierWatcher" = "talk";
          # File Manager
          "org.freedesktop.FileManager1" = "talk";
          # Uses legacy StatusNotifier implementation
          "org.kde.*" = "own";
        };
        bubblewrap = {
          # To trace all the home files QQ accesses, you can use the following nushell command:
          #   just trace-access qq
          # See the Justfile in the root of this repository for more information.
          bind.rw = [
-        # given the read write permission to the following directories.
+            sloth.xdgDocumentsDir
        # NOTE: sloth.mkdir is used to create the directory if it does not exist!
        (sloth.mkdir (sloth.concat [sloth.xdgConfigHome "/QQ"]))
        (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/QQ"]))
            sloth.xdgDownloadDir
            sloth.xdgMusicDir
            sloth.xdgVideosDir
          ];
          sockets = {
            x11 = false;
            wayland = true;
            pipewire = true;
          };
      bind.dev = [
        "/dev/shm" # Shared Memory
      ];
      tmpfs = [
        "/tmp"
      ];
        };
      };
  };
  exePath = lib.getExe wrapped.config.script;
 in
 buildEnv {
  inherit (wrapped.config.script) name meta passthru;
  paths = [
    wrapped.config.script
    (makeDesktopItem {
      name = appId;
      desktopName = "QQ";
      genericName = "QQ Boxed";
      comment = "Tencent QQ, also known as QQ, is an instant messaging software service and web portal developed by the Chinese technology company Tencent.";
      exec = "${exePath} %U";
      terminal = false;
      icon = "${qq}/share/icons/hicolor/512x512/apps/qq.png";
      startupNotify = true;
      startupWMClass = "QQ";
      type = "Application";
      categories = [
        "InstantMessaging"
        "Network"
      ];
      extraConfig = {
        X-Flatpak = appId;
      };
    })
  ];
 }
@@ -0,0 +1,104 @@
 {
  lib,
  telegram-desktop,
  buildEnv,
  mkNixPak,
  makeDesktopItem,
  ...
 }:
 let
  appId = "org.telegram.desktop";
  wrapped = mkNixPak {
    config =
      { sloth, ... }:
      {
        imports = [
          ./modules/gui-base.nix
          ./modules/network.nix
          ./modules/common.nix
        ];
        app.package = telegram-desktop;
        flatpak = {
          appId = appId;
        };
        dbus = {
          enable = true;
          policies = {
            "org.gnome.Mutter.IdleMonitor" = "talk";
            "org.freedesktop.Notifications" = "talk";
            "org.kde.StatusNotifierWatcher" = "talk";
            "com.canonical.AppMenu.Registrar" = "talk";
            "com.canonical.indicator.application" = "talk";
            "org.ayatana.indicator.application" = "talk";
            "org.sigxcpu.Feedback" = "talk";
          };
        };
        bubblewrap = {
          bind.rw = [
            sloth.xdgDocumentsDir
            sloth.xdgDownloadDir
            sloth.xdgMusicDir
            sloth.xdgVideosDir
          ];
          sockets = {
            x11 = false;
            wayland = true;
            pipewire = true;
          };
        };
      };
  };
  exePath = lib.getExe wrapped.config.script;
 in
 buildEnv {
  inherit (wrapped.config.script) name meta passthru;
  paths = [
    wrapped.config.script
    (makeDesktopItem {
      name = appId;
      desktopName = "Telegram";
      comment = "New era of messaging";
      tryExec = "${exePath}";
      exec = "${exePath} -- %u";
      icon = appId;
      startupNotify = true;
      startupWMClass = appId;
      terminal = false;
      type = "Application";
      categories = [
        "Chat"
        "Network"
        "InstantMessaging"
        "Qt"
      ];
      mimeTypes = [
        "x-scheme-handler/tg"
        "x-scheme-handler/tonsite"
      ];
      keywords = [
        "tg"
        "chat"
        "im"
        "messaging"
        "messenger"
        "sms"
        "tdesktop"
      ];
      actions = {
        quit = {
          name = "Quit Telegram";
          exec = "${exePath} -quit";
          icon = "application-exit";
        };
      };
      extraConfig = {
        X-Flatpak = appId;
        DBusActivatable = "true";
        SingleMainWindow = "true";
        X-GNOME-UsesNotifications = "true";
        X-GNOME-SingleWindow = "true";
      };
    })
  ];
 }
@@ -1,17 +0,0 @@
 {
  makeDesktopItem,
  wechat-uos,
 }:
 makeDesktopItem {
  name = "wechat";
  desktopName = "WeChat";
  exec = "wechat-uos %U";
  terminal = false;
  # To find the icon name(nushell):
  #   let p = NIXPKGS_ALLOW_UNFREE=1 nix eval --impure nixpkgs#wechat-uos.outPath | str trim --char '"'
  #   tree $"($p)/share/icons"
  icon = "${wechat-uos}/share/icons/hicolor/256x256/apps/com.tencent.wechat.png";
  type = "Application";
  categories = ["Network"];
  comment = "Wechat boxed";
 }
@@ -1,73 +0,0 @@
 # TODO: wechat-uos is running in FHS sandbox by default, it's problematic
 #   to wrap it again via flatpak. We need to find a way to fix it.
 #   https://github.com/NixOS/nixpkgs/blob/nixos-unstable/pkgs/by-name/we/wechat-uos/package.nix
 # Refer:
 # - Flatpak manifest's docs:
 #   - https://docs.flatpak.org/en/latest/manifests.html
 #   - https://docs.flatpak.org/en/latest/sandbox-permissions.html
 # - wechat-uos's flatpak manifest: https://github.com/flathub/com.tencent.WeChat/blob/master/com.tencent.WeChat.yaml
 {
  lib,
  pkgs,
  mkNixPak,
  ...
 }:
 mkNixPak {
  config = {sloth, ...}: {
    app = {
      package = pkgs.wechat-uos;
      binPath = "bin/wechat-uos";
    };
    flatpak.appId = "com.tencent.WeChat";
    imports = [
      ./modules/gui-base.nix
      ./modules/network.nix
    ];
    # list all dbus services:
    #   ls -al /run/current-system/sw/share/dbus-1/services/
    #   ls -al /etc/profiles/per-user/ryan/share/dbus-1/services/
    dbus.policies = {
      "org.gnome.Shell.Screencast" = "talk";
      # System tray icon
      "org.freedesktop.Notifications" = "talk";
      "org.kde.StatusNotifierWatcher" = "talk";
      # File Manager
      "org.freedesktop.FileManager1" = "talk";
      # Uses legacy StatusNotifier implementation
      "org.kde.*" = "own";
    };
    bubblewrap = {
      # To trace all the home files QQ accesses, you can use the following nushell command:
      #   just trace-access wechat-uos
      # See the Justfile in the root of this repository for more information.
      bind.rw = [
        # given the read write permission to the following directories.
        # NOTE: sloth.mkdir is used to create the directory if it does not exist!
        (sloth.mkdir (sloth.concat [sloth.homeDir "/.xwechat"]))
        (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/xwechat_files"]))
        (sloth.mkdir (sloth.concat [sloth.xdgDocumentsDir "/WeChat_Data/"]))
        sloth.xdgDownloadDir
      ];
      sockets = {
        x11 = false;
        wayland = true;
        pipewire = true;
      };
      bind.dev = [
        "/dev/shm" # Shared Memory
      ];
      tmpfs = [
        "/tmp"
      ];
      env = {
        # Hidpi scale
        "QT_AUTO_SCREEN_SCALE_FACTOR" = "1";
        # Only supports xcb
        "QT_QPA_PLATFORM" = "kcb";
      };
    };
  };
 }
@@ -1,4 +1,5 @@
-{modulesPath, ...}: {
+{ modulesPath, ... }:
 {
  imports = [
    (modulesPath + "/profiles/hardened.nix")
  ];
@@ -1,5 +1,49 @@
 # Home Manager's Submodules
-1. `base`: The base module that is suitable for both Linux and macOS.
+This directory contains all Home Manager configurations organized by platform and functionality.
-2. `linux`: Linux-specific configuration.
+
-3. `darwin`: macOS-specific configuration.
+## Current Structure
 ```
 home/
 ├── base/              # Cross-platform home manager configurations
 │   ├── core/          # Essential applications and settings
 │   │   ├── editors/   # Editor configurations (Neovim, Helix)
 │   │   ├── shells/    # Shell configurations (Nushell, Zellij)
 │   │   └── ...
 │   ├── gui/           # GUI applications and desktop settings
 │   │   ├── terminal/  # Terminal emulators (Kitty, Alacritty, etc.)
 │   │   └── ...
 │   ├── tui/           # Terminal/TUI applications
 │   │   ├── editors/   # TUI editors and related tools
 │   │   ├── encryption/ # GPG, password-store, etc.
 │   │   └── ...
 │   └── home.nix       # Main home manager entry point
 ├── linux/             # Linux-specific home manager configurations
 │   ├── base/          # Linux base configurations
 │   ├── gui/           # Linux GUI applications
 │   │   ├── hyprland/  # Hyprland window manager
 │   │   ├── niri/      # Niri window manager
 │   │   └── ...
 │   ├── editors/       # Linux-specific editors
 │   └── ...
 └── darwin/            # macOS-specific home manager configurations
    ├── aerospace/     # macOS window manager
    ├── proxy/         # Proxy configurations
    └── ...
 ```
 ## Module Overview
 1. **base**: The base module suitable for both Linux and macOS
   - Cross-platform applications and settings
   - Shared configurations for editors, shells, and essential tools
 2. **linux**: Linux-specific configuration
   - Desktop environments (Hyprland, Niri)
   - Linux-specific GUI applications
   - System integration tools
 3. **darwin**: macOS-specific configuration
   - macOS applications and services
   - Platform-specific integrations (Aerospace, Squirrel, etc.)
@@ -1,5 +1,66 @@
 # Home Manager's Base Submodules
-1. `server`: Configuration which is suitable for both servers and desktops.
+This directory contains cross-platform base configurations that are shared between Linux and Darwin
-1. `desktop`: Configuration for desktop environments, such as Hyprland, I3, etc.
+systems.
-1. `core.nix`: Minimal home-manager's config
+
 ## Configuration Structure
 ### Core System
 - **core/**: Essential cross-platform configurations
  - **core.nix**: Minimal home-manager configuration
  - **shells/**: Shell configurations (bash, zsh, fish, nu)
  - **editors/**: Text editor configurations
    - **neovim/**: Neovim with custom plugins and settings
    - **helix/**: Helix editor configuration
  - **btop.nix**: System monitoring tools
  - **git.nix**: Git configuration and aliases
  - **npm.nix**: Node.js package management
  - **pip.nix**: Python package management
  - **starship.nix**: Cross-shell prompt configuration
  - **theme.nix**: Color schemes and theming
  - **yazi.nix**: Terminal file manager configuration
  - **zellij/**: Terminal multiplexer with custom layouts
 ### Desktop Environment
 - **gui/**: Cross-platform GUI applications and configurations
  - **dev-tools.nix**: Development tools and IDEs
  - **media.nix**: Media players and utilities
  - **terminal/**: Terminal emulator configurations
    - **alacritty/**: Alacritty terminal
    - **kitty/**: Kitty terminal
    - **foot/**: Foot terminal (Linux)
    - **ghostty/**: Ghostty terminal
 ### Terminal Interface
 - **tui/**: Terminal-based interface configurations
  - **cloud/**: Cloud development tools (Terraform, etc.)
  - **container.nix**: Container tools (Docker, Podman)
  - **dev-tools.nix**: Terminal-based development tools
  - **editors/**: Terminal editor configurations
  - **encryption/**: Encryption and security tools
  - **gpg/**: GPG key management
  - **password-store/**: Password management with pass
  - **shell.nix**: Shell environment configurations
  - **ssh/**: SSH configuration and management
  - **zellij/**: Terminal workspace management
 ### System Management
 - **home.nix**: Main home manager configuration file
 ## Platform Compatibility
 All configurations in this directory are designed to work across:
 - **Linux**: All distributions with Nix and Home Manager
 - **macOS**: Darwin systems with Home Manager
 - **WSL**: Windows Subsystem for Linux
 ## Usage
 These base configurations provide the foundation for both Linux and Darwin systems, ensuring
 consistent environments across different platforms while allowing for platform-specific
 customizations.
@@ -1,16 +1,8 @@
 {
  pkgs,
  nur-ryan4yin,
  ...
 }: {
  # https://github.com/catppuccin/btop/blob/main/themes/catppuccin_mocha.theme
  xdg.configFile."btop/themes".source = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-btop}/themes";
  # replacement of htop/nmon
  programs.btop = {
    enable = true;
    settings = {
      color_theme = "catppuccin_mocha";
      theme_background = false; # make btop transparent
    };
  };
@@ -1,8 +1,5 @@
 { pkgs, ... }:
 {
  pkgs,
  nur-ryan4yin,
  ...
 }: {
  home.packages = with pkgs; [
    # Misc
    cowsay
@@ -16,7 +13,7 @@
    # search for files by name, faster than find
    fd
    # search for files by its content, replacement of grep
-    (ripgrep.override {withPCRE2 = true;})
+    (ripgrep.override { withPCRE2 = true; })
    # A fast and polyglot tool for code searching, linting, rewriting at large scale
    # supported languages: only some mainstream languages currently(do not support nix/nginx/yaml/toml/...)
@@ -25,8 +22,6 @@
    sad # CLI search and replace, just like sed, but with diff preview.
    yq-go # yaml processor https://github.com/mikefarah/yq
    just # a command runner like make, but simpler
    delta # A viewer for git and diff output
    lazygit # Git terminal UI.
    hyperfine # command-line benchmarking tool
    gping # ping, but with a graph(TUI)
    doggo # DNS client for humans
@@ -53,10 +48,9 @@
    ncdu # analyzer your disk usage Interactively, via TUI(replacement of `du`)
  ];
  programs = {
  # A modern replacement for ‘ls’
  # useful in bash/zsh prompt, not in nushell.
-    eza = {
+  programs.eza = {
    enable = true;
    # do not enable aliases in nushell!
    enableNushellIntegration = false;
@@ -65,44 +59,18 @@
  };
  # a cat(1) clone with syntax highlighting and Git integration.
-    bat = {
+  programs.bat = {
    enable = true;
    config = {
      pager = "less -FR";
        theme = "catppuccin-mocha";
      };
      themes = {
        # https://raw.githubusercontent.com/catppuccin/bat/main/Catppuccin-mocha.tmTheme
        catppuccin-mocha = {
          src = nur-ryan4yin.packages.${pkgs.system}.catppuccin-bat;
          file = "Catppuccin-mocha.tmTheme";
        };
    };
  };
  # A command-line fuzzy finder
-    fzf = {
+  programs.fzf.enable = true;
      enable = true;
      # https://github.com/catppuccin/fzf
      # catppuccin-mocha
      colors = {
        "bg+" = "#313244";
        "bg" = "#1e1e2e";
        "spinner" = "#f5e0dc";
        "hl" = "#f38ba8";
        "fg" = "#cdd6f4";
        "header" = "#f38ba8";
        "info" = "#cba6f7";
        "pointer" = "#f5e0dc";
        "marker" = "#f5e0dc";
        "fg+" = "#cdd6f4";
        "prompt" = "#cba6f7";
        "hl+" = "#f38ba8";
      };
    };
  # very fast version of tldr in Rust
-    tealdeer = {
+  programs.tealdeer = {
    enable = true;
    enableAutoUpdates = true;
    settings = {
@@ -134,7 +102,7 @@
  #   zi foo             # cd with interactive selection (using fzf)
  #
  #   z foo<SPACE><TAB>  # show interactive completions (zoxide v0.8.0+, bash 4.4+/fish/zsh only)
-    zoxide = {
+  programs.zoxide = {
    enable = true;
    enableBashIntegration = true;
    enableZshIntegration = true;
@@ -145,11 +113,10 @@
  # and records additional context for your commands.
  # Additionally, it provides optional and fully encrypted
  # synchronisation of your history between machines, via an Atuin server.
-    atuin = {
+  programs.atuin = {
    enable = true;
    enableBashIntegration = true;
    enableZshIntegration = true;
    enableNushellIntegration = true;
  };
  };
 }
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
 {
  imports = mylib.scanPaths ./.;
 }
@@ -1,3 +1,10 @@
 # Editors
-See [desktop/editors/](../../desktop/editors/) for more details.
+This directory contains editor configurations that are shared across different environments.
 ## Available Editors
 - **neovim/**: Neovim configuration with AstroNvim
 - **helix/**: Helix editor configuration
 These configurations are designed to work across both terminal and GUI environments.
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
 {
  imports = mylib.scanPaths ./.;
 }
@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
 {
  programs.helix = {
    enable = true;
  };
@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
 {
  programs = {
    neovim = {
      enable = true;
@@ -4,17 +4,37 @@
  pkgs,
  myvars,
  ...
-}: {
+}:
 {
  # `programs.git` will generate the config file: ~/.config/git/config
  # to make git use this config file, `~/.gitconfig` should not exist!
  #
  #    https://git-scm.com/docs/git-config#Documentation/git-config.txt---global
-  home.activation.removeExistingGitconfig = lib.hm.dag.entryBefore ["checkLinkTargets"] ''
+  home.activation.removeExistingGitconfig = lib.hm.dag.entryBefore [ "checkLinkTargets" ] ''
    rm -f ${config.home.homeDirectory}/.gitconfig
  '';
-  home.packages = with pkgs; [
+  # GitHub CLI tool
-  ];
+  # https://cli.github.com/manual/
  programs.gh = {
    enable = true;
    settings = {
      git_protocol = "ssh";
      prompt = "enabled";
      aliases = {
        co = "pr checkout";
        pv = "pr view";
      };
    };
    hosts = {
      "github.com" = {
        "users" = {
          "ryan4yin" = null;
        };
        "user" = "ryan4yin";
      };
    };
  };
  programs.git = {
    enable = true;
@@ -36,6 +56,7 @@
      trim.bases = "develop,master,main"; # for git-trim
      push.autoSetupRemote = true;
      pull.rebase = true;
      log.date = "iso"; # use iso format for date
      # replace https with ssh
      url = {
@@ -56,7 +77,7 @@
    #   signByDefault = true;
    # };
-    # A syntax-highlighting pager in Rust(2019 ~ Now)
+    # A syntax-highlighting pager for git, diff, grep, and blame output
    delta = {
      enable = true;
      options = {
@@ -96,4 +117,10 @@
      foreach = "submodule foreach";
    };
  };
  # Git terminal UI (written in go).
  programs.lazygit.enable = true;
  # Yet another Git TUI (written in rust).
  programs.gitui.enable = true;
 }
@@ -0,0 +1,10 @@
 { config, ... }:
 {
  # make `npm install -g <pkg>` happey
  #
  # mainly used to install npm packages that updates frequently
  # such as gemini-cli, claude-code, etc.
  home.file.".npmrc".text = ''
    prefix=${config.home.homeDirectory}/.npm
  '';
 }
@@ -1,3 +1,8 @@
 # Based on the default config generated by:
 #    ```
 #    config nu --default
 #    ```
 #
 # Nushell Config File Documentation
 #
 # Warning: This file is intended for documentation purposes only and
@@ -1,8 +1,5 @@
-{
+{ config, ... }:
-  config,
+let
  pkgs-unstable,
  ...
 }: let
  shellAliases = {
    k = "kubectl";
@@ -13,22 +10,25 @@
  localBin = "${config.home.homeDirectory}/.local/bin";
  goBin = "${config.home.homeDirectory}/go/bin";
  rustBin = "${config.home.homeDirectory}/.cargo/bin";
-in {
+  npmBin = "${config.home.homeDirectory}/.npm/bin";
-  # only works in bash/zsh, not nushell
+in
-  home.shellAliases = shellAliases;
+{
  programs.nushell = {
    enable = true;
    package = pkgs-unstable.nushell;
    configFile.source = ./config.nu;
    inherit shellAliases;
  };
  programs.bash = {
    enable = true;
    enableCompletion = true;
    bashrcExtra = ''
-      export PATH="$PATH:${localBin}:${goBin}:${rustBin}"
+      export PATH="$PATH:${localBin}:${goBin}:${rustBin}:${npmBin}"
    '';
  };
  # NOTE: only works in bash/zsh, not nushell
  home.shellAliases = shellAliases;
  # NOTE: nushell will be launched in bash, so it can inherit all the eenvironment variables.
  programs.nushell = {
    enable = true;
    # package = pkgs-unstable.nushell;
    configFile.source = ./config.nu;
    inherit shellAliases;
  };
 }
@@ -1,8 +1,4 @@
 {
  pkgs,
  nur-ryan4yin,
  ...
 }: {
  programs.starship = {
    enable = true;
@@ -10,24 +6,24 @@
    enableZshIntegration = true;
    enableNushellIntegration = true;
-    settings =
+    # https://starship.rs/config/
-      {
+    settings = {
      # Get editor completions based on the config schema
      "$schema" = "https://starship.rs/config-schema.json";
      character = {
-          success_symbol = "[›](bold green)";
+        success_symbol = "[➜](bold green)";
-          error_symbol = "[›](bold red)";
+        error_symbol = "[➜](bold red)";
        };
        aws = {
          symbol = "🅰 ";
        };
        gcloud = {
          # do not show the account/project's info
          # to avoid the leak of sensitive information when sharing the terminal
          format = "on [$symbol$active(\($region\))]($style) ";
          symbol = "🅶 ️";
      };
      # I never rely on the defaults, so this module is useless to me—disabled.
      # I prefer adding --project, --region to very gcloud/aws command.
      aws.disabled = true;
      gcloud.disabled = true;
-        palette = "catppuccin_mocha";
+      kubernetes = {
-      }
+        symbol = "⛵";
-      // builtins.fromTOML (builtins.readFile "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-starship}/palettes/mocha.toml");
+        disabled = false;
      };
      os.disabled = false;
    };
  };
 }
@@ -0,0 +1,16 @@
 { catppuccin, ... }:
 {
  # https://github.com/catppuccin/nix
  imports = [
    catppuccin.homeModules.catppuccin
  ];
  catppuccin = {
    # The default `enable` value for all available programs.
    enable = true;
    # one of "latte", "frappe", "macchiato", "mocha"
    flavor = "mocha";
    # one of "blue", "flamingo", "green", "lavender", "maroon", "mauve", "peach", "pink", "red", "rosewater", "sapphire", "sky", "teal", "yellow"
    accent = "pink";
  };
 }
@@ -1,13 +1,9 @@
 { pkgs, ... }:
 {
  pkgs,
  pkgs-unstable,
  nur-ryan4yin,
  ...
 }: {
  # terminal file manager
  programs.yazi = {
    enable = true;
-    package = pkgs-unstable.yazi;
+    package = pkgs.yazi;
    # Changing working directory when exiting Yazi
    enableBashIntegration = true;
    enableNushellIntegration = true;
@@ -18,6 +14,4 @@
      };
    };
  };
  xdg.configFile."yazi/theme.toml".source = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-yazi}/mocha.toml";
 }
@@ -2,7 +2,8 @@ let
  shellAliases = {
    "zj" = "zellij";
  };
-in {
+in
 {
  programs.zellij = {
    enable = true;
  };
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
 {
  imports = mylib.scanPaths ./.;
 }
@@ -1,10 +1,19 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
-  home.packages = with pkgs; [
+{
  home.packages =
    with pkgs;
    [
      mitmproxy # http/https proxy tool
    insomnia # REST client
      wireshark # network analyzer
      # IDEs
      # jetbrains.idea-community
-  ];
+
      # AI cli tools
      k8sgpt
      kubectl-ai # an ai helper opensourced by google
    ]
    ++ (lib.optionals pkgs.stdenv.isx86_64 [
      insomnia # REST client
    ]);
 }
@@ -1,65 +0,0 @@
 [colors.primary]
 background = "#1e1e2e"
 foreground = "#cdd6f4"
 dim_foreground = "#7f849c"
 bright_foreground = "#cdd6f4"
 [colors.cursor]
 text = "#1e1e2e"
 cursor = "#f5e0dc"
 [colors.vi_mode_cursor]
 text = "#1e1e2e"
 cursor = "#b4befe"
 [colors.search.matches]
 foreground = "#1e1e2e"
 background = "#a6adc8"
 [colors.search.focused_match]
 foreground = "#1e1e2e"
 background = "#a6e3a1"
 [colors.footer_bar]
 foreground = "#1e1e2e"
 background = "#a6adc8"
 [colors.hints.start]
 foreground = "#1e1e2e"
 background = "#f9e2af"
 [colors.hints.end]
 foreground = "#1e1e2e"
 background = "#a6adc8"
 [colors.selection]
 text = "#1e1e2e"
 background = "#f5e0dc"
 [colors.normal]
 black = "#45475a"
 red = "#f38ba8"
 green = "#a6e3a1"
 yellow = "#f9e2af"
 blue = "#89b4fa"
 magenta = "#f5c2e7"
 cyan = "#94e2d5"
 white = "#bac2de"
 [colors.bright]
 black = "#585b70"
 red = "#f38ba8"
 green = "#a6e3a1"
 yellow = "#f9e2af"
 blue = "#89b4fa"
 magenta = "#f5c2e7"
 cyan = "#94e2d5"
 white = "#a6adc8"
 [[colors.indexed_colors]]
 index = 16
 color = "#fab387"
 [[colors.indexed_colors]]
 index = 17
 color = "#f5e0dc"
@@ -26,36 +26,43 @@
 {
  programs.alacritty = {
    enable = true;
-    package = pkgs-unstable.alacritty;
+    # package = pkgs-unstable.alacritty;
    # https://alacritty.org/config-alacritty.html
    settings = {
      general.import = [
        ./catppuccin-mocha.toml
      ];
      window = {
        opacity = 0.93;
        startup_mode = "Maximized"; # Maximized window
        dynamic_title = true;
        option_as_alt = "Both"; # Option key acts as Alt on macOS
        decorations = "None"; # Show neither borders nor title bar
      };
      scrolling = {
        history = 10000;
      };
      font = {
-        bold = {family = "JetBrainsMono Nerd Font";};
+        bold = {
-        italic = {family = "JetBrainsMono Nerd Font";};
+          family = "Maple Mono NF CN";
-        normal = {family = "JetBrainsMono Nerd Font";};
+        };
-        bold_italic = {family = "JetBrainsMono Nerd Font";};
+        italic = {
-        size =
+          family = "Maple Mono NF CN";
-          if pkgs.stdenv.isDarwin
+        };
-          then 14
+        normal = {
-          else 13;
+          family = "Maple Mono NF CN";
        };
        bold_italic = {
          family = "Maple Mono NF CN";
        };
        size = if pkgs.stdenv.isDarwin then 14 else 13;
      };
      terminal = {
        # Spawn a nushell in login mode via `bash`
        shell = {
          program = "${pkgs.bash}/bin/bash";
-          args = ["--login" "-c" "nu --login --interactive"];
+          args = [
            "--login"
            "-c"
            "nu --login --interactive"
          ];
        };
        # Controls the ability to write to the system clipboard with the OSC 52 escape sequence.
        # It's used by zellij to copy text to the system clipboard.
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
 {
  imports = mylib.scanPaths ./.;
 }
@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
 {
  programs.foot = {
    # foot is designed only for Linux
    enable = pkgs.stdenv.isLinux;
@@ -16,8 +17,8 @@
    settings = {
      main = {
        term = "foot"; # or "xterm-256color" for maximum compatibility
-        font = "JetBrainsMono Nerd Font:size=14";
+        font = "Maple Mono NF CN:size=14";
-        dpi-aware = "yes";
+        dpi-aware = "no"; # scale via window manager instead
        # Spawn a nushell in login mode via `bash`
        shell = "${pkgs.bash}/bin/bash --login -c 'nu --login --interactive'";
@@ -26,47 +27,6 @@
      mouse = {
        hide-when-typing = "yes";
      };
      # https://github.com/catppuccin/foot/blob/main/themes/catppuccin-mocha.ini
      cursor = {
        color = "11111b f5e0dc";
      };
      colors = {
        alpha = "0.93"; # background opacity
        foreground = "cdd6f4";
        background = "1e1e2e";
        regular0 = "45475a";
        regular1 = "f38ba8";
        regular2 = "a6e3a1";
        regular3 = "f9e2af";
        regular4 = "89b4fa";
        regular5 = "f5c2e7";
        regular6 = "94e2d5";
        regular7 = "bac2de";
        bright0 = "585b70";
        bright1 = "f38ba8";
        bright2 = "a6e3a1";
        bright3 = "f9e2af";
        bright4 = "89b4fa";
        bright5 = "f5c2e7";
        bright6 = "94e2d5";
        bright7 = "a6adc8";
        "16" = "fab387";
        "17" = "f5e0dc";
        "selection-foreground" = "cdd6f4";
        "selection-background" = "414356";
        "search-box-no-match" = "11111b f38ba8";
        "search-box-match" = "cdd6f4 313244";
        "jump-labels" = "11111b fab387";
        urls = "89b4fa";
      };
    };
  };
 }
@@ -12,17 +12,16 @@
  programs.ghostty = {
    enable = true;
    package =
-      if pkgs.stdenv.isDarwin
+      if pkgs.stdenv.isDarwin then
-      then pkgs.hello # pkgs.ghostty is currently broken on darwin
+        pkgs.hello # pkgs.ghostty is currently broken on darwin
-      else pkgs.ghostty; # the stable version
+      else
        pkgs.ghostty; # the stable version
    # package = ghostty.packages.${pkgs.system}.default; # the latest version
    enableBashIntegration = false;
    installBatSyntax = false;
    # installVimSyntax = true;
    settings = {
-      theme = "catppuccin-mocha";
+      font-family = "Maple Mono NF CN";
      font-family = "JetBrains Mono";
      font-size = 13;
      background-opacity = 0.93;
@@ -16,17 +16,10 @@
 {
  programs.kitty = {
    enable = true;
    # kitty has catppuccin theme built-in,
    # all the built-in themes are packaged into an extra package named `kitty-themes`
    # and it's installed by home-manager if `theme` is specified.
    themeFile = "Catppuccin-Mocha";
    font = {
-      name = "JetBrainsMono Nerd Font";
+      name = "Maple Mono NF CN";
      # use different font size on macOS
-      size =
+      size = if pkgs.stdenv.isDarwin then 14 else 13;
        if pkgs.stdenv.isDarwin
        then 14
        else 13;
    };
    # consistent with other terminal emulators
@@ -36,6 +29,10 @@
    };
    settings = {
      # do not show title bar & window title
      hide_window_decorations = "titlebar-and-corners";
      macos_show_window_title_in = "none";
      background_opacity = "0.93";
      macos_option_as_alt = true; # Option key acts as Alt on macOS
      enable_audio_bell = false;
@@ -48,6 +45,6 @@
    };
    # macOS specific settings
-    darwinLaunchOptions = ["--start-as=maximized"];
+    darwinLaunchOptions = [ "--start-as=maximized" ];
  };
 }
@@ -1,4 +1,5 @@
-{myvars, ...}: {
+{ myvars, ... }:
 {
  # Home Manager needs a bit of information about you and the
  # paths it should manage.
  home = {
@@ -2,7 +2,8 @@
  lib,
  pkgs,
  ...
-}: {
+}:
 {
  # https://developer.hashicorp.com/terraform/cli/config/config-file
  home.file.".terraformrc".source = ./terraformrc;
@@ -30,9 +31,12 @@
    # digitalocean
    doctl
    # google cloud
-    (google-cloud-sdk.withExtraComponents (with google-cloud-sdk.components; [
+    (google-cloud-sdk.withExtraComponents (
      with google-cloud-sdk.components;
      [
        gke-gcloud-auth-plugin
-    ]))
+      ]
    ))
    # cloud tools that nix do not have cache for.
    terraform
@@ -1,11 +1,12 @@
 {
  pkgs,
-  pkgs-unstable,
+  pkgs-stable,
  nur-ryan4yin,
  ...
-}: {
+}:
 {
  home.packages = with pkgs; [
-    docker-compose
+    podman-compose
    dive # explore docker layers
    lazydocker # Docker terminal UI.
    skopeo # copy/sync images between registries and local storage
@@ -13,50 +14,29 @@
    kubectl
    kubectx # kubectx & kubens
    kubie # same as kubectl-ctx, but per-shell (won’t touch kubeconfig).
    kubectl-view-secret # kubectl view-secret
    kubectl-tree # kubectl tree
    kubectl-node-shell # exec into node
    kubepug # kubernetes pre upgrade checker
-    k8sgpt
+    kubectl-cnpg # cloudnative-pg's cli tool
    nur-ryan4yin.packages.${pkgs.system}.kubectl-ai # an ai helper opensourced by google
    kubebuilder
    istioctl
    clusterctl # for kubernetes cluster-api
    kubevirt # virtctl
-    kubernetes-helm
+    pkgs-stable.kubernetes-helm
    fluxcd
    argocd
    ko # build go project to container image
  ];
-  programs = {
+  programs.k9s.enable = true;
-    k9s = {
+  catppuccin.k9s.transparent = true;
-      enable = true;
+
-      # https://k9scli.io/topics/aliases/
+  programs.kubecolor = {
      # aliases = {};
      settings = {
        skin = "catppuccino-mocha";
      };
      skins.catppuccin-mocha = let
        skin_file = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-k9s}/dist/mocha.yml"; # theme - catppuccin mocha
        skin_attr = builtins.fromJSON (
          builtins.readFile
          # replace 'base: &base "#1e1e2e"' with 'base: &base "default"'
          # to make fg/bg color transparent. "default" means transparent in k9s skin.
          (pkgs.runCommandNoCC "get-skin-json" {} ''
            cat ${skin_file} \
              |  sed -E 's@(base: &base ).+@\1 "default"@g' \
              | ${pkgs.yj}/bin/yj > $out
          '')
        );
      in
        skin_attr;
    };
    kubecolor = {
    enable = true;
    enableAlias = true;
  };
  };
 }
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
 {
  imports = mylib.scanPaths ./.;
 }
@@ -2,7 +2,8 @@
  pkgs,
  pkgs-unstable,
  ...
-}: {
+}:
 {
  #############################################################
  #
  #  Basic settings for development environment
@@ -17,9 +18,11 @@
  home.packages = with pkgs; [
    colmena # nixos's remote deployment tool
    tokei # count lines of code, alternative to cloc
    # db related
-    pkgs-unstable.mycli
+    mycli
-    pkgs-unstable.pgcli
+    pgcli
    mongosh
    sqlite
@@ -27,13 +30,12 @@
    minicom
    # ai related
-    pkgs-unstable.python313Packages.huggingface-hub # huggingface-cli
+    python313Packages.huggingface-hub # huggingface-cli
    # misc
-    pkgs-unstable.devbox
+    devbox
    bfg-repo-cleaner # remove large files from git history
    k6 # load testing tool
    protobuf # protocol buffer compiler
    # solve coding extercises - learn by doing
    exercism
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
 {
  imports = mylib.scanPaths ./.;
 }
@@ -1,16 +1,9 @@
 { pkgs, ... }:
 {
  pkgs,
  nur-ryan4yin,
  ...
 }: {
  # https://github.com/catppuccin/helix
  xdg.configFile."helix/themes".source = "${nur-ryan4yin.packages.${pkgs.system}.catppuccin-helix}/themes/default";
  programs.helix = {
    enable = true;
    package = pkgs.helix;
    settings = {
      theme = "catppuccin_mocha";
      editor = {
        line-number = "relative";
        cursorline = true;
@@ -29,7 +22,10 @@
          w = ":w";
          q = ":q";
        };
-        esc = ["collapse_selection" "keep_primary_selection"];
+        esc = [
          "collapse_selection"
          "keep_primary_selection"
        ];
      };
    };
  };
@@ -18,14 +18,16 @@ let
  # the path to nvim directory
  # to make this symlink work, we need to git clone this repo to your home directory.
  configPath = "${config.home.homeDirectory}/nix-config/home/base/tui/editors/neovim/nvim";
-in {
+in
 {
  xdg.configFile."nvim".source = config.lib.file.mkOutOfStoreSymlink configPath;
  # Disable catppuccin to avoid conflict with my non-nix config.
  catppuccin.nvim.enable = false;
  home.shellAliases = shellAliases;
  programs.nushell.shellAliases = shellAliases;
-  programs = {
+  programs.neovim = {
    neovim = {
    enable = true;
    package = pkgs-unstable.neovim-unwrapped;
@@ -44,14 +46,20 @@ in {
      "--suffix"
      "LIBRARY_PATH"
      ":"
-        "${lib.makeLibraryPath [stdenv.cc.cc zlib]}"
+      "${lib.makeLibraryPath [
        stdenv.cc.cc
        zlib
      ]}"
      # PKG_CONFIG_PATH is used by pkg-config before compilation to search directories
      # containing .pc files that describe the libraries that need to be linked to your program.
      "--suffix"
      "PKG_CONFIG_PATH"
      ":"
-        "${lib.makeSearchPathOutput "dev" "lib/pkgconfig" [stdenv.cc.cc zlib]}"
+      "${lib.makeSearchPathOutput "dev" "lib/pkgconfig" [
        stdenv.cc.cc
        zlib
      ]}"
    ];
    # Currently we use lazy.nvim as neovim's package manager, so comment this one.
@@ -70,5 +78,4 @@ in {
      nvim-treesitter.withAllGrammars
    ];
  };
  };
 }
@@ -2,101 +2,137 @@
  "AstroNvim": { "branch": "main", "commit": "c5e610f614e74c9dd9bf11760c4d0ad2c98c0abe" },
  "Comment.nvim": { "branch": "master", "commit": "e30b7f2008e52442154b66f7c519bfd2f1e32acb" },
  "LuaSnip": { "branch": "master", "commit": "458560534a73f7f8d7a11a146c801db00b081df0" },
  "SchemaStore.nvim": { "branch": "main", "commit": "6c52c57432280c54596feb0c0958e1a6cb546f4d" },
  "aerial.nvim": { "branch": "master", "commit": "3284a2cb858ba009c79da87d5e010ccee3c99c4d" },
  "alpha-nvim": { "branch": "main", "commit": "de72250e054e5e691b9736ee30db72c65d560771" },
-  "astrocommunity": { "branch": "main", "commit": "16231a665146b0fe70593dd450afd6e964a3cbe1" },
+  "astrocommunity": { "branch": "main", "commit": "2db3ee2ce37f9e2bc9e6ea2c3e2e6292ca4d33bf" },
  "astrocore": { "branch": "main", "commit": "44a3dc0bf1591022b2a6bc89dccdfac1be17bec9" },
  "astrolsp": { "branch": "main", "commit": "909fbe64f3f87d089ff3777751261544557117cc" },
  "astrotheme": { "branch": "main", "commit": "f12dcf64b1f9a05839c3ac2146f550f43bae9dab" },
  "astroui": { "branch": "main", "commit": "e923a84c488d879a260fc9cfb2dc27dd870fb6ac" },
  "autosave.nvim": { "branch": "main", "commit": "348f72cf0241e3e736e3396c4834def2f8ef8d10" },
-  "avante.nvim": { "branch": "main", "commit": "bc403ddcbf98c4181ee2a7efd35cd1e18a2fdc5c" },
+  "avante.nvim": { "branch": "main", "commit": "508cc4c22c78d565d270df8dec5449db07800296" },
-  "catppuccin": { "branch": "main", "commit": "a0c769bc7cd04bbbf258b3d5f01e2bdce744108d" },
+  "catppuccin": { "branch": "main", "commit": "fa42eb5e26819ef58884257d5ae95dd0552b9a66" },
-  "clangd_extensions.nvim": { "branch": "main", "commit": "db28f29be928d18cbfb86fbfb9f83f584f658feb" },
+  "clangd_extensions.nvim": {
-  "cmake-tools.nvim": { "branch": "master", "commit": "591ae37fc5494677e929118f0a182d2b61fe1af1" },
+    "branch": "main",
    "commit": "db28f29be928d18cbfb86fbfb9f83f584f658feb"
  },
  "cmake-tools.nvim": { "branch": "master", "commit": "17244215b1a96e4b2a83a16abd6719197f270f96" },
  "cmp-buffer": { "branch": "main", "commit": "3022dbc9166796b644a841a02de8dd1cc1d311fa" },
  "cmp-conjure": { "branch": "master", "commit": "8c9a88efedc0e5bf3165baa6af8a407afe29daf6" },
  "cmp-dap": { "branch": "master", "commit": "ea92773e84c0ad3288c3bc5e452ac91559669087" },
  "cmp-nvim-lsp": { "branch": "main", "commit": "99290b3ec1322070bcfb9e846450a46f6efa50f0" },
  "cmp-path": { "branch": "main", "commit": "91ff86cd9c29299a64f968ebb45846c485725f23" },
  "cmp_luasnip": { "branch": "master", "commit": "98d9cb5c2c38532bd9bdb481067b20fea8f32e90" },
-  "conjure": { "branch": "main", "commit": "83c6394f916197d73f2a19538bd5615e08842d10" },
+  "conjure": { "branch": "main", "commit": "5f15eb0322b5530eefb16457c061e7c2ccd7cf13" },
  "crates.nvim": { "branch": "main", "commit": "5d8b1bef686db0fabe5f1bb593744b617e8f1405" },
  "deno-nvim": { "branch": "master", "commit": "5a2f9205df5539c4a0696e73893bf8d1b0cae406" },
  "dressing.nvim": { "branch": "master", "commit": "3a45525bb182730fe462325c99395529308f431e" },
  "flash.nvim": { "branch": "main", "commit": "3c942666f115e2811e959eabbdd361a025db8b63" },
  "flit.nvim": { "branch": "main", "commit": "1ef72de6a02458d31b10039372c8a15ab8989e0d" },
  "friendly-snippets": { "branch": "main", "commit": "efff286dd74c22f731cdec26a70b46e5b203c619" },
-  "fzf-lua": { "branch": "main", "commit": "3de691fafd097177d10ebffb91dec5bec2cb30ed" },
+  "fzf-lua": { "branch": "main", "commit": "a4404dee0a65d3c2e2b292206d10b16567d088c9" },
  "gitsigns.nvim": { "branch": "main", "commit": "7010000889bfb6c26065e0b0f7f1e6aa9163edd9" },
-  "gopher.nvim": { "branch": "main", "commit": "9db5931af1293ae52500921d92c02145d86df02c" },
+  "gopher.nvim": { "branch": "main", "commit": "de585144ebde9f0516fb9b542dd42e90c7835b59" },
  "goto-preview": { "branch": "main", "commit": "d1faf6ea992b5bcaaaf2c682e1aba3131a01143e" },
  "guess-indent.nvim": { "branch": "main", "commit": "6cd61f7a600bb756e558627cd2e740302c58e32d" },
  "heirline.nvim": { "branch": "master", "commit": "fae936abb5e0345b85c3a03ecf38525b0828b992" },
-  "indent-blankline.nvim": { "branch": "master", "commit": "005b56001b2cb30bfa61b7986bc50657816ba4ba" },
+  "indent-blankline.nvim": {
    "branch": "master",
    "commit": "005b56001b2cb30bfa61b7986bc50657816ba4ba"
  },
  "lazy.nvim": { "branch": "main", "commit": "6c3bda4aca61a13a9c63f1c1d1b16b9d3be90d7a" },
  "lazydev.nvim": { "branch": "main", "commit": "f59bd14a852ca43db38e3662395354cb2a9b13e0" },
-  "leap.nvim": { "branch": "main", "commit": "08ca7ec9e859856251d56c22ea107f82f563ff3c" },
+  "leap.nvim": { "branch": "main", "commit": "10c14af4ddfb34dbd7721f0bfb2b4d91f0558907" },
-  "lsp_signature.nvim": { "branch": "master", "commit": "d50e40b3bf9324128e71b0b7e589765ce89466d2" },
+  "lsp_signature.nvim": {
    "branch": "master",
    "commit": "2923666d092300e6d03c8d895991d0bef43f1613"
  },
  "lspkind.nvim": { "branch": "master", "commit": "d79a1c3299ad0ef94e255d045bed9fa26025dab6" },
  "luarocks.nvim": { "branch": "main", "commit": "1db9093915eb16ba2473cfb8d343ace5ee04130a" },
-  "markdown-preview.nvim": { "branch": "main", "commit": "462ce41af003f5cdadab856f3a42dc27e39b89c8" },
+  "markdown-preview.nvim": {
-  "mason-lspconfig.nvim": { "branch": "main", "commit": "1a31f824b9cd5bc6f342fc29e9a53b60d74af245" },
+    "branch": "main",
    "commit": "462ce41af003f5cdadab856f3a42dc27e39b89c8"
  },
  "mason-lspconfig.nvim": {
    "branch": "main",
    "commit": "1a31f824b9cd5bc6f342fc29e9a53b60d74af245"
  },
  "mason-null-ls.nvim": { "branch": "main", "commit": "2b8433f76598397fcc97318d410e0c4f7a4bea6a" },
  "mason-nvim-dap.nvim": { "branch": "main", "commit": "4c2cdc69d69fe00c15ae8648f7e954d99e5de3ea" },
  "mason.nvim": { "branch": "main", "commit": "fc98833b6da5de5a9c5b1446ac541577059555be" },
-  "mini.ai": { "branch": "main", "commit": "5225f16eacf4dce2cb7204ca345123ef54e209d6" },
+  "mini.ai": { "branch": "main", "commit": "d172ada7b0281044a06cb9a625a862553c457b6f" },
  "mini.bufremove": { "branch": "main", "commit": "285bdac9596ee7375db50c0f76ed04336dcd2685" },
-  "mini.surround": { "branch": "main", "commit": "f4307f935ad87cfe3e570dbaae485b35cce4e5ec" },
+  "mini.surround": { "branch": "main", "commit": "1a2b59c77a0c4713a5bd8972da322f842f4821b1" },
  "neo-tree.nvim": { "branch": "main", "commit": "f481de16a0eb59c985abac8985e3f2e2f75b4875" },
  "neoconf.nvim": { "branch": "main", "commit": "f630568a4d04154803886f21ca60923f12709f0f" },
-  "nfnl": { "branch": "main", "commit": "19cac83657514a0718b7af4a086d06bd73269b7a" },
+  "nfnl": { "branch": "main", "commit": "143b595069d98d47b26b80f0e0375420673de4af" },
  "none-ls.nvim": { "branch": "main", "commit": "a117163db44c256d53c3be8717f3e1a2a28e6299" },
  "nui.nvim": { "branch": "main", "commit": "a0fd35fcbb4cb479366f1dc5f20145fd718a3733" },
  "nvim-autopairs": { "branch": "master", "commit": "68f0e5c3dab23261a945272032ee6700af86227a" },
  "nvim-cmp": { "branch": "main", "commit": "1e1900b0769324a9675ef85b38f99cca29e203b3" },
-  "nvim-colorizer.lua": { "branch": "master", "commit": "517df88cf2afb36652830df2c655df2da416a0ae" },
+  "nvim-colorizer.lua": {
    "branch": "master",
    "commit": "517df88cf2afb36652830df2c655df2da416a0ae"
  },
  "nvim-dap": { "branch": "master", "commit": "6a5bba0ddea5d419a783e170c20988046376090d" },
  "nvim-dap-go": { "branch": "main", "commit": "8763ced35b19c8dc526e04a70ab07c34e11ad064" },
  "nvim-dap-python": { "branch": "master", "commit": "261ce649d05bc455a29f9636dc03f8cdaa7e0e2c" },
  "nvim-dap-ui": { "branch": "master", "commit": "bc81f8d3440aede116f821114547a476b082b319" },
-  "nvim-jdtls": { "branch": "master", "commit": "c23f200fee469a415c77265ca55b496feb646992" },
+  "nvim-jdtls": { "branch": "master", "commit": "4d77ff02063cf88963d5cf10683ab1fd15d072de" },
-  "nvim-lsp-file-operations": { "branch": "master", "commit": "9744b738183a5adca0f916527922078a965515ed" },
+  "nvim-lsp-file-operations": {
    "branch": "master",
    "commit": "9744b738183a5adca0f916527922078a965515ed"
  },
  "nvim-lspconfig": { "branch": "master", "commit": "185b2af444b27d6541c02d662b5b68190e5cf0c4" },
  "nvim-nio": { "branch": "master", "commit": "21f5324bfac14e22ba26553caf69ec76ae8a7662" },
  "nvim-notify": { "branch": "master", "commit": "a3020c2cf4dfc4c4f390c4a21e84e35e46cf5d17" },
  "nvim-scrollbar": { "branch": "main", "commit": "5b103ef0fd2e8b9b4be3878ed38d224522192c6c" },
  "nvim-spectre": { "branch": "master", "commit": "72f56f7585903cd7bf92c665351aa585e150af0f" },
-  "nvim-spider": { "branch": "main", "commit": "99df646eab60df0b948dd2532ef5f5512707a9a4" },
+  "nvim-spider": { "branch": "main", "commit": "d4bdc45eac425e77108f068bd0706ff3ac20be7f" },
  "nvim-treesitter": { "branch": "master", "commit": "f8aaf5ce4e27cd20de917946b2ae5c968a2c2858" },
-  "nvim-treesitter-textobjects": { "branch": "master", "commit": "9937e5e356e5b227ec56d83d0a9d0a0f6bc9cad4" },
+  "nvim-treesitter-textobjects": {
    "branch": "master",
    "commit": "9937e5e356e5b227ec56d83d0a9d0a0f6bc9cad4"
  },
  "nvim-ts-autotag": { "branch": "main", "commit": "a1d526af391f6aebb25a8795cbc05351ed3620b5" },
-  "nvim-ts-context-commentstring": { "branch": "main", "commit": "1b212c2eee76d787bbea6aa5e92a2b534e7b4f8f" },
+  "nvim-ts-context-commentstring": {
    "branch": "main",
    "commit": "1b212c2eee76d787bbea6aa5e92a2b534e7b4f8f"
  },
  "nvim-ufo": { "branch": "main", "commit": "61463090a4f55f5d080236ea62f09d1cd8976ff3" },
  "nvim-vtsls": { "branch": "main", "commit": "60b493e641d3674c030c660cabe7a2a3f7a914be" },
  "nvim-web-devicons": { "branch": "master", "commit": "4c3a5848ee0b09ecdea73adcd2a689190aeb728c" },
  "nvim-window-picker": { "branch": "main", "commit": "6382540b2ae5de6c793d4aa2e3fe6dbb518505ec" },
-  "orgmode": { "branch": "master", "commit": "32ef9e95f43a6e951fb931b438372546a4f0c524" },
+  "orgmode": { "branch": "master", "commit": "b6d14eb0a1553a0ef4114346d67605de82d0f7fb" },
  "package-info.nvim": { "branch": "master", "commit": "4f1b8287dde221153ec9f2acd46e8237d2d0881e" },
-  "parinfer-rust": { "branch": "master", "commit": "55bec1e3d4f127527c5c2e507fac96cc934aed6e" },
+  "parinfer-rust": { "branch": "master", "commit": "afe6b1176cd805c000713e23b654fbf4b9f4b156" },
  "plenary.nvim": { "branch": "master", "commit": "857c5ac632080dba10aae49dba902ce3abf91b35" },
  "presence.nvim": { "branch": "main", "commit": "87c857a56b7703f976d3a5ef15967d80508df6e6" },
  "promise-async": { "branch": "main", "commit": "38a4575da9497326badd3995e768b4ccf0bb153e" },
-  "refactoring.nvim": { "branch": "master", "commit": "64dbe67bf7c28c864488262d267c799f80cae9ba" },
+  "refactoring.nvim": { "branch": "master", "commit": "74b608dfee827c2372250519d433cc21cb083407" },
-  "render-markdown.nvim": { "branch": "main", "commit": "8debb17aab2fbbf3b341e46ac032d0a6f937d8c3" },
+  "render-markdown.nvim": {
    "branch": "main",
    "commit": "c809fc129f842a7055c672593d24be6346bcc673"
  },
  "resession.nvim": { "branch": "master", "commit": "cc819b0489938d03e4f3532a583354f0287c015b" },
-  "rustaceanvim": { "branch": "master", "commit": "5120207f90846704a74cbf043295698b009bd5de" },
+  "rustaceanvim": { "branch": "master", "commit": "322224d00a731d75eed6b700d38e460fd30f6e3c" },
  "schemastore.nvim": { "branch": "main", "commit": "e4f80f37cd11ed58a6e914cc30850749f021b6a7" },
  "sentiment.nvim": { "branch": "main", "commit": "54a6db15b630eccfa98c32a76baf90f21c6f1e40" },
  "smart-splits.nvim": { "branch": "master", "commit": "ddb23c1a1cf1507bda487cda7f6e4690965ef9f5" },
-  "telescope-fzf-native.nvim": { "branch": "main", "commit": "1f08ed60cafc8f6168b72b80be2b2ea149813e55" },
+  "telescope-fzf-native.nvim": {
    "branch": "main",
    "commit": "1f08ed60cafc8f6168b72b80be2b2ea149813e55"
  },
  "telescope-undo.nvim": { "branch": "main", "commit": "928d0c2dc9606e01e2cc547196f48d2eaecf58e5" },
  "telescope.nvim": { "branch": "0.1.x", "commit": "a17d611a0e111836a1db5295f04945df407c5135" },
  "todo-comments.nvim": { "branch": "main", "commit": "ae0a2afb47cf7395dc400e5dc4e05274bf4fb9e0" },
-  "tree-sitter-nu": { "branch": "main", "commit": "d5c71a10b4d1b02e38967b05f8de70e847448dd1" },
+  "tree-sitter-nu": { "branch": "main", "commit": "d62bb4a0c78e9476a6dd0081761444f6870252ed" },
  "treesj": { "branch": "main", "commit": "3b4a2bc42738a63de17e7485d4cc5e49970ddbcc" },
  "tsc.nvim": { "branch": "main", "commit": "8c1b4ec6a48d038a79ced8674cb15e7db6dd8ef0" },
-  "venv-selector.nvim": { "branch": "regexp", "commit": "c677caa1030808a9f90092e522de7cc20c1390dd" },
+  "venv-selector.nvim": {
    "branch": "regexp",
    "commit": "c677caa1030808a9f90092e522de7cc20c1390dd"
  },
  "vim-illuminate": { "branch": "master", "commit": "19cb21f513fc2b02f0c66be70107741e837516a1" },
  "vim-repeat": { "branch": "master", "commit": "65846025c15494983dafe5e3b46c8f88ab2e9635" },
  "vim-wakatime": { "branch": "master", "commit": "f39c4a201ae350aaba713b59d4a4fdd88e0811aa" },
@@ -52,7 +52,8 @@ return {
      "terraformls", -- terraform hcl
      "marksman", -- markdown ls
      "nickel_ls", -- nickel language server
-      "nil_ls", -- nix language server
+      -- "nil_ls", -- nix language server
      "nixd", -- another nix language server
      "buf_ls", -- protocol buffer language server
      "dockerls", -- dockerfile
      "cmake", -- cmake language server
@@ -19,8 +19,8 @@ return {
  },
  version = false, -- Never set this value to "*"! Never!
  opts = {
-    provider = "deepseek_reasoner",
+    provider = "openrouter_claude_4",
-    cursor_applying_provider = "deepseek_reasoner", -- In this example, use Groq for applying, but you can also use any provider you want.
+    cursor_applying_provider = "openrouter_claude_4",
    behaviour = {
      -- auto_suggestions = true,
      enable_cursor_planning_mode = true, -- enable cursor planning mode!
@@ -28,44 +28,104 @@ return {
    -- WARNING: Since auto-suggestions are a high-frequency operation and therefore expensive,
    -- currently designating it as `copilot` provider is dangerous because: https://github.com/yetone/avante.nvim/issues/1048
    -- Of course, you can reduce the request frequency by increasing `suggestion.debounce`.
-    auto_suggestions_provider = "aliyun_qwen3",
+    auto_suggestions_provider = "ollama",
    suggestion = {
      debounce = 750, -- wait for x ms before suggestion
      throttle = 1200, -- wait for at least x ms before the next suggestion
    },
    web_search_engine = {
      provider = "google", -- tavily, serpapi, searchapi, google, kagi, brave, or searxng
      proxy = nil, -- proxy support, e.g., http://127.0.0.1:7890
    },
    providers = {
      ollama = {
        endpoint = "http://192.168.5.100:11434", -- Note that there is no /v1 at the end.
        model = "modelscope.cn/unsloth/Qwen3-30B-A3B-GGUF",
-      -- model = "modelscope.cn/unsloth/Qwen3-235B-A22B-GGUF",
+        -- model = "modelscope.cn/unsloth/Qwen3-32B-GGUF",
      },
-    vendors = {
+      -- ==============================================
-      deepseek_coder = {
+      -- https://aistudio.google.com/prompts/new_chat
      -- ==============================================
      gemini = {
        api_key_name = "GEMINI_API_KEY",
        model = "gemini-2.5-pro-preview-06-05",
        timeout = 30000, -- Timeout in milliseconds, increase this for reasoning models
        temperature = 0,
        max_completion_tokens = 8192, -- Increase this to include reasoning tokens (for reasoning models)
        --reasoning_effort = "medium", -- low|medium|high, only used for reasoning models
      },
      -- ==============================================
      -- https://openrouter.ai/rankings
      -- ==============================================
      openrouter_claude_4 = {
        __inherited_from = "openai",
-        api_key_name = "DEEPSEEK_API_KEY",
+        endpoint = "https://openrouter.ai/api/v1",
-        endpoint = "https://api.deepseek.com",
+        api_key_name = "OPENROUTER_API_KEY",
-        model = "deepseek-coder",
+        model = "anthropic/claude-sonnet-4",
      },
      -- deepseek chat v3
      deepseek_chat = {
        __inherited_from = "openai",
        api_key_name = "DEEPSEEK_API_KEY",
        endpoint = "https://api.deepseek.com",
        model = "deepseek-chat",
      },
      -- deepseek r1
      deepseek_reasoner = {
        __inherited_from = "openai",
        api_key_name = "DEEPSEEK_API_KEY",
        endpoint = "https://api.deepseek.com",
        model = "deepseek-reasoner",
      },
      -- ==============================================
      -- https://bailian.console.aliyun.com/?tab=model
      -- ==============================================
      aliyun_qwen3 = {
        __inherited_from = "openai",
        api_key_name = "DASHSCOPE_API_KEY",
        endpoint = "https://dashscope.aliyuncs.com/compatible-mode/v1",
        -- model = "qwen-coder-plus-latest",
        model = "qwen3-235b-a22b",
        -- disable_tools = true,
      },
      aliyun_dpr1 = {
        __inherited_from = "openai",
        api_key_name = "DASHSCOPE_API_KEY",
        endpoint = "https://dashscope.aliyuncs.com/compatible-mode/v1",
        model = "deepseek-r1-0528",
        disable_tools = true,
      },
      -- ==============================================
      -- https://console.volcengine.com/ark/region:ark+cn-beijing/model?feature=&vendor=DeepSeek&view=VENDOR_VIEW
      -- ==============================================
      ark_dpr1 = {
        __inherited_from = "openai",
        api_key_name = "ARK_API_KEY",
        endpoint = "https://ark.cn-beijing.volces.com/api/v3",
        model = "deepseek-r1-250528",
        -- disable_tools = true,
      },
      -- ==============================================
      -- https://cloud.siliconflow.cn/models
      -- ==============================================
      sflow_dpr1 = {
        __inherited_from = "openai",
        api_key_name = "SILICONFLOW_API_KEY",
        endpoint = "https://api.siliconflow.cn/v1",
        model = "Pro/deepseek-ai/DeepSeek-R1",
        -- disable_tools = true,
      },
      -- ==============================================
      -- https://platform.deepseek.com/usage
      -- ==============================================
      dp_coder = {
        __inherited_from = "openai",
        api_key_name = "DEEPSEEK_API_KEY",
        endpoint = "https://api.deepseek.com",
        model = "deepseek-coder",
      },
      -- deepseek chat v3
      dp_chat = {
        __inherited_from = "openai",
        api_key_name = "DEEPSEEK_API_KEY",
        endpoint = "https://api.deepseek.com",
        model = "deepseek-chat",
        -- disable_tools = true,
      },
      -- deepseek r1
      dp_r1 = {
        __inherited_from = "openai",
        api_key_name = "DEEPSEEK_API_KEY",
        endpoint = "https://api.deepseek.com",
        model = "deepseek-reasoner",
        -- disable_tools = true,
      },
    },
  },
@@ -1,13 +1,15 @@
 -- File explorer(Custom configs)
 return {
  "nvim-neo-tree/neo-tree.nvim",
-  opts = {
+  opts = function(_, opts)
-    filesystem = {
+    opts.filesystem.filtered_items = {
      filtered_items = {
      visible = true, -- visible by default
      hide_dotfiles = false,
      hide_gitignored = false,
-      },
+    }
-    },
+    opts.filesystem.follow_current_file = {
-  },
+      enabled = true, -- This will find and focus the file in the active buffer every time
      leave_dirs_open = false, -- `false` closes auto expanded dirs, such as with `:Neotree reveal`
    }
  end,
 }
@@ -39,7 +39,7 @@ return {
      formatting.shfmt, -- Shell formatter
      formatting.terraform_fmt, -- Terraform formatter
      formatting.stylua, -- Lua formatter
-      formatting.alejandra, -- Nix formatter
+      -- formatting.alejandra, -- Nix formatter
      formatting.sqlfluff.with { -- SQL formatter
        extra_args = { "--dialect", "postgres" }, -- change to your dialect
      },
@@ -2,17 +2,19 @@
  pkgs,
  pkgs-unstable,
  ...
-}: {
+}:
-  home.packages = with pkgs; (
+{
  home.packages =
    with pkgs;
    (
      # -*- Data & Configuration Languages -*-#
      [
        #-- nix
        nil
-      # rnix-lsp
+        nixd
      # nixd
        statix # Lints and suggestions for the nix programming language
        deadnix # Find and remove unused code in .nix source files
-      alejandra # Nix Code Formatter
+        nixfmt # Nix Code Formatter
        #-- nickel lang
        nickel
@@ -28,7 +30,7 @@
        #-- dockerfile
        hadolint # Dockerfile linter
-      nodePackages.dockerfile-language-server-nodejs
+        dockerfile-language-server
        #-- markdown
        marksman # language server for markdown
@@ -61,13 +63,15 @@
          vscode-extensions.vadimcn.vscode-lldb.adapter # codelldb - debugger
          #-- python
      pyright # python language server
          (python313.withPackages (
-        ps:
+            ps: with ps; [
-          with ps; [
+              # python language server
              pyright
              ruff
              pipx # Install and Run Python Applications in Isolated Environments
              black # python formatter
-            # debugpy
+              uv # python project package manager
              # my commonly used python packages
              jupyter
@@ -77,6 +81,10 @@
              pyquery
              pyyaml
              boto3
              # misc
              protobuf # protocol buffer compiler
              numpy
            ]
          ))
@@ -147,7 +155,7 @@
        nodePackages.prettier # common code formatter
        fzf
        gdu # disk usage analyzer, required by AstroNvim
-      (ripgrep.override {withPCRE2 = true;}) # recursively searches directories for a regex pattern
+        (ripgrep.override { withPCRE2 = true; }) # recursively searches directories for a regex pattern
      ]
    );
 }
@@ -2,10 +2,11 @@
  pkgs,
  pkgs-unstable,
  ...
-}: {
+}:
 {
  home.packages = with pkgs; [
    age
-    pkgs-unstable.sops
+    sops
    rclone
  ];
 }
@@ -2,7 +2,8 @@
  config,
  mysecrets,
  ...
-}: {
+}:
 {
  programs.gpg = {
    enable = true;
    homedir = "${config.home.homeDirectory}/.gnupg";
@@ -3,9 +3,11 @@
  config,
  lib,
  ...
-}: let
+}:
 let
  passwordStoreDir = "${config.xdg.dataHome}/password-store";
-in {
+in
 {
  programs.password-store = {
    enable = true;
    package = pkgs.pass.withExtensions (exts: [
@@ -2,9 +2,11 @@
  config,
  pkgs-unstable,
  ...
-}: let
+}:
 let
  inherit (pkgs-unstable) nu_scripts;
-in {
+in
 {
  programs.nushell = {
    # load the alias file for work
    # the file must exist, otherwise nushell will complain about it!
@@ -14,6 +16,10 @@ in {
    extraConfig = ''
      source /etc/agenix/alias-for-work.nushell
      # using claude-code with kimi k2
      $env.ANTHROPIC_BASE_URL = "https://api.moonshot.cn/anthropic/"
      $env.ANTHROPIC_API_KEY = $env.MOONSHOT_API_KEY
      # Directories in this constant are searched by the
      # `use` and `source` commands.
      const NU_LIB_DIRS = $NU_LIB_DIRS ++ ['${nu_scripts}/share/nu_scripts']
@@ -34,7 +40,7 @@ in {
      # use custom-completions/zoxide/zoxide-completions.nu *
      # alias
-      use aliases/git/git-aliases.nu *
+      # use aliases/git/git-aliases.nu *
      use aliases/eza/eza-aliases.nu *
      use aliases/bat/bat-aliases.nu *
@@ -2,14 +2,28 @@
  config,
  mysecrets,
  ...
-}: {
+}:
 {
  home.file.".ssh/romantic.pub".source = "${mysecrets}/public/romantic.pub";
  programs.ssh = {
    enable = true;
    # default config
    enableDefaultConfig = false;
    matchBlocks."*" = {
      forwardAgent = false;
      # "a private key that is used during authentication will be added to ssh-agent if it is running"
      addKeysToAgent = "yes";
      compression = true;
      serverAliveInterval = 0;
      serverAliveCountMax = 3;
      hashKnownHosts = false;
      userKnownHostsFile = "~/.ssh/known_hosts";
      controlMaster = "no";
      controlPath = "~/.ssh/master-%r@%n:%p";
      controlPersist = "no";
    };
    matchBlocks = {
      "github.com" = {
@@ -303,69 +303,6 @@ default_shell "nu"
 //
 // scrollback_lines_to_serialize 10000
 // Define color themes for Zellij
 // For more examples, see: https://github.com/zellij-org/zellij/tree/main/example/themes
 // Once these themes are defined, one of them should to be selected in the "theme" section of this file
 //
 themes {
  // https://github.com/zellij-org/zellij/blob/main/zellij-utils/assets/themes/catppuccin.kdl
  catppuccin-latte {
    bg "#acb0be" // Surface2
    fg "#acb0be" // Surface2
    red "#d20f39"
    green "#40a02b"
    blue "#1e66f5"
    yellow "#df8e1d"
    magenta "#ea76cb" // Pink
    orange "#fe640b" // Peach
    cyan "#04a5e5" // Sky
    black "#dce0e8" // Crust
    white "#4c4f69" // Text
  }
  catppuccin-frappe {
    bg "#626880" // Surface2
    fg "#c6d0f5"
    red "#e78284"
    green "#a6d189"
    blue "#8caaee"
    yellow "#e5c890"
    magenta "#f4b8e4" // Pink
    orange "#ef9f76" // Peach
    cyan "#99d1db" // Sky
    black "#292c3c" // Mantle
    white "#c6d0f5"
  }
  catppuccin-macchiato {
    bg "#5b6078" // Surface2
    fg "#cad3f5"
    red "#ed8796"
    green "#a6da95"
    blue "#8aadf4"
    yellow "#eed49f"
    magenta "#f5bde6" // Pink
    orange "#f5a97f" // Peach
    cyan "#91d7e3" // Sky
    black "#1e2030" // Mantle
    white "#cad3f5"
  }
  catppuccin-mocha {
    bg "#585b70" // Surface2
    fg "#cdd6f4"
    red "#f38ba8"
    green "#a6e3a1"
    blue "#89b4fa"
    yellow "#f9e2af"
    magenta "#f5c2e7" // Pink
    orange "#fab387" // Peach
    cyan "#89dceb" // Sky
    black "#181825" // Mantle
    white "#cdd6f4"
  }
 }
 // Choose the theme that is specified in the themes section.
 // Default: default
 //
@@ -1,12 +1,18 @@
-{pkgs, ...}: let
+{ pkgs, ... }:
 let
  shellAliases = {
    "zj" = "zellij";
  };
-in {
+in
 {
  programs.zellij = {
    enable = true;
    package = pkgs.zellij;
  };
  xdg.configFile."zellij/config.kdl".source = ./config.kdl;
  # Disable catppuccin to avoid conflict with my non-nix config.
  catppuccin.zellij.enable = false;
  # auto start zellij in nushell
  programs.nushell.extraConfig = ''
    # auto start zellij
@@ -29,6 +35,4 @@ in {
  # only works in bash/zsh, not nushell
  home.shellAliases = shellAliases;
  programs.nushell.shellAliases = shellAliases;
  xdg.configFile."zellij/config.kdl".source = ./config.kdl;
 }
@@ -1,6 +1,33 @@
 # Home Manager's Darwin Submodules
-1. `core.nix`: some basic configuration.
+This directory contains macOS-specific Home Manager configurations for Darwin systems.
-2. `shell.nix`: shell related.
+
-3. `rime-squirrel.nix`: [rime-squirrel](https://github.com/rime/squirrel)'s configuration.
+## Configuration Modules
-4. `default.nix`: the entrypoint of darwin's configuration, it import all the submodules above.
+
 ### Core Configurations
 - **default.nix**: Entry point that imports all Darwin configurations
 - **shell.nix**: Shell configurations and environment settings
 - **rime-squirrel.nix**: [Rime Squirrel](https://github.com/rime/squirrel) input method
  configuration
 ### Window Management
 - **aerospace/**: [Aerospace](https://github.com/nikitabobko/AeroSpace) tiling window manager
  configuration
  - Custom keybindings and workspace management
  - Application-specific window rules
 ### Network Configuration
 - **proxy/**: Network proxy configurations
  - `proxychains.conf`: Proxy chains configuration for network routing
  - Proxy settings for development tools and applications
 ## Features
 - macOS-specific package installations and configurations
 - Native macOS applications and utilities
 - Touch ID and system integration
 - Homebrew integration for additional packages
 - macOS-specific shell configurations and aliases
@@ -226,11 +226,6 @@ run = 'move-node-to-workspace 3Work'
 if.app-id = 'com.tinyspeck.slackmacgap'
 run = 'move-node-to-workspace 3Work'
 [[on-window-detected]]
 if.app-id = 'us.zoom.xos'
 run = 'move-node-to-workspace 3Work'
 [[on-window-detected]]
 if.app-id = 'org.mozilla.firefox'
 run = 'move-node-to-workspace 4Firefox'
@@ -285,6 +280,14 @@ run = ['layout floating', 'move-node-to-workspace 9File']
 if.app-id = 'com.apple.Preview'
 run = ['layout floating', 'move-node-to-workspace 9File']
 [[on-window-detected]]
 if.app-id = 'com.microsoft.VSCode'
 run = ['layout floating', 'move-node-to-workspace 9File']
 [[on-window-detected]]
 if.app-id = 'com.todesktop.230313mzl4w4u92' # Cursor AI Editor
 run = ['layout floating', 'move-node-to-workspace 9File']
 [[on-window-detected]]
 if.app-id = 'org.wireshark.Wireshark'
 run = ['layout floating', 'move-node-to-workspace 0Other']
@@ -294,8 +297,8 @@ if.app-id = 'ai.elementlabs.lmstudio'
 run = ['layout floating', 'move-node-to-workspace 0Other']
 [[on-window-detected]]
-if.app-id = 'com.microsoft.VSCode'
+if.app-id = 'us.zoom.xos'
-run = ['layout floating', 'move-node-to-workspace 0Other']
+run = 'move-node-to-workspace 0Other'
 # Auth UI - do not move it
 [[on-window-detected]]
@@ -307,6 +310,11 @@ run = ['layout floating']
 if.app-id = 'com.apple.systempreferences'
 run = ['layout floating']
 # Clash Verge - has problem with floating
 [[on-window-detected]]
 if.app-id = 'io.github.clash-verge-rev.clash-verge-rev'
 run = ['move-node-to-workspace 0Other']
 # Make all windows float by default
 [[on-window-detected]]
 check-further-callbacks = true
@@ -1,5 +1,5 @@
-{config, ...}: {
+{ config, ... }:
 {
  home.file.".aerospace.toml".source =
-    config.lib.file.mkOutOfStoreSymlink
+    config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/nix-config/home/darwin/aerospace/aerospace.toml";
    "${config.home.homeDirectory}/nix-config/home/darwin/aerospace/aerospace.toml";
 }
@@ -2,11 +2,10 @@
  mylib,
  myvars,
  ...
-}: {
+}:
 {
  home.homeDirectory = "/Users/${myvars.username}";
-  imports =
+  imports = (mylib.scanPaths ./.) ++ [
    (mylib.scanPaths ./.)
    ++ [
    ../base/core
    ../base/tui
    ../base/gui
@@ -2,12 +2,12 @@
  config,
  pkgs,
  ...
-}: {
+}:
 {
  home.packages = with pkgs; [
    clash-meta
  ];
  home.file.".proxychains/proxychains.conf".source =
-    config.lib.file.mkOutOfStoreSymlink
+    config.lib.file.mkOutOfStoreSymlink "${config.home.homeDirectory}/nix-config/home/darwin/proxy/proxychains.conf";
    "${config.home.homeDirectory}/nix-config/home/darwin/proxy/proxychains.conf";
 }
@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
 {
  # Squirrel Input Method
  home.file."Library/Rime" = {
    # my custom squirrel data (flypy input method)
@@ -1,4 +1,5 @@
-{lib, ...}: let
+{ lib, ... }:
 let
  envExtra = ''
    export PATH="$PATH:/opt/homebrew/bin:/usr/local/bin"
  '';
@@ -20,7 +21,8 @@
      true
    fi
  '';
-in {
+in
 {
  # Homebrew's default install location:
  #   /opt/homebrew for Apple Silicon
  #   /usr/local for macOS Intel
@@ -1,10 +1,34 @@
 # Home Manager's Linux Submodules
-1. `base`: The base module that is suitable for any NixOS environment.
+This directory contains Linux-specific Home Manager configurations organized for different use
-2. `desktop`: Configuration for desktop environments, such as Hyprland, I3, etc.
+cases.
-3. `server.nix`: Configuration which is suitable for both servers and desktops. It import only
+
-   `base` as its submodule.
+## Configuration Modules
-   1. used by all my nixos servers.
+
-4. `desktop.nix`: the entrypoint of desktop's configuration, it import both `base` and `desktop` as
+### Core Configurations
-   its submodules.
+
-   1. used by all my nixos desktops.
+- **core.nix**: Essential Linux-specific configurations and settings
 - **base/**: Base Linux configurations including shell, tools, and utilities
  - `shell.nix`: Shell configurations and aliases
  - `tools.nix`: Essential command-line tools and utilities
 ### Desktop Configurations
 - **gui/**: Desktop environment configurations
  - **hyprland/**: Hyprland window manager with custom keybindings and settings
  - **niri/**: Niri compositor configuration
  - **base/**: Common desktop applications and services
  - **editors/**: Text editor configurations for desktop environments
 ### Available Entry Points
 - **core.nix**: Core Linux configuration, suitable for basic setups
 - **tui.nix**: Terminal-based interface configuration for lightweight environments
 - **gui.nix**: Graphical user interface configuration entry point, imports desktop environments
 ## Usage
 - **Lightweight/Terminal**: Use `core.nix` or `tui.nix` for terminal-focused setups
 - **Desktops**: Use `gui.nix` for full desktop environments with window managers like Hyprland or
  Niri
 - **Custom**: Mix and match configurations as needed for your specific use case
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
 {
  imports = mylib.scanPaths ./.;
 }
@@ -2,11 +2,13 @@
  config,
  myvars,
  ...
-}: let
+}:
 let
  d = config.xdg.dataHome;
  c = config.xdg.configHome;
  cache = config.xdg.cacheHome;
-in rec {
+in
 rec {
  home.homeDirectory = "/home/${myvars.username}";
  # environment variables that always set at login
@@ -1,4 +1,5 @@
-{pkgs, ...}: {
+{ pkgs, ... }:
 {
  # Linux Only Packages, not available on Darwin
  home.packages = with pkgs; [
    # misc
@@ -1,17 +1,49 @@
-# Desktop Related
+# Desktop Environment Configurations
-3. `base`: all common configurations for all desktops.
+This directory contains desktop environment and window manager configurations managed by Home
-4. `hyprland`: Hyprland's configuration.
+Manager.
-## Why install I3/Hyprland in Home Manager instead of a NixOS Module?
+## Available Configurations
-1. I3 & Hyprland's configuration file is located in `~/.config`, which can be easily managed by Home
+### Window Managers
-   Manager.
+
-2. I have many user-specific systemd services, such gammastep, wallpaper-switcher, etc. Which can be
+- **hyprland**: Hyprland compositor configuration with custom keybindings, settings, and window
-   easily managed by Home Manager, but if we add i3/hyprland in a NixOS Module, those user-level
+  rules
-   services may failed to start automatically. With i3/hyprland in a Home Manager Module, we can
+- **niri**: Niri compositor configuration with custom settings, keybindings, spawn-at-startup rules,
-   control their systemd service's dependent order more easily, so we can avoid issues like this.
+  and window rules
-3. By install packages as less as possible in NixOS Module, we can:
+
-   1. Make the NixOS system more secure and stable.
+### Base Desktop Environment
-   2. Make this flake more portable to other non-NixOS systems, as home-manager can be installed on
+
-      any Linux system.
+- **base**: Common desktop configurations shared across all environments, including:
  - Desktop applications (anyrun, mako, waybar, wlogout)
  - Creative tools and media applications
  - Development tools
  - Eye protection utilities (gammastep)
  - Fcitx5 input method framework
  - Games and gaming utilities
  - GTK theme configurations
  - Immutable file handling
  - Note-taking applications
  - Wallpaper management with auto-switcher
  - Wayland applications
  - XDG desktop configurations
 ### Editor Configurations
 - **editors**: Text editor configurations and integrations
 ## Why install Desktop Environments in Home Manager instead of NixOS Module?
 1. **Configuration Location**: Desktop environment configuration files are located in `~/.config`,
   which can be easily managed by Home Manager.
 2. **User-specific Services**: Many user-specific systemd services (gammastep, wallpaper-switcher,
   etc.) can be easily managed by Home Manager. If desktop environments were configured via NixOS
   Module, these user-level services might fail to start automatically. With Home Manager modules,
   we can control systemd service dependency order more effectively.
 3. **System Benefits**: By minimizing package installation through NixOS Module:
   - Makes the NixOS system more secure and stable
   - Increases portability to non-NixOS systems, as Home Manager can be installed on any Linux
     system
   - Allows for easier switching between different window managers without system-level changes
@@ -1,15 +1,17 @@
 {
  lib,
  pkgs,
  pkgs-unstable,
  # pkgs-stable,
  nur-ryan4yin,
  blender-bin,
  ...
-}: {
+}:
-  home.packages = with pkgs; [
+{
  home.packages =
    with pkgs;
    [
      # creative
    # https://github.com/edolstra/nix-warez/blob/master/blender/flake.nix
    blender-bin.packages.${pkgs.system}.blender_4_2 # 3d modeling
      # gimp      # image editing, I prefer using figma in browser instead of this one
      inkscape # vector graphics
      krita # digital painting
@@ -18,36 +20,41 @@
      # sonic-pi # music programming
      # 2d game design
    ldtk # A modern, versatile 2D level editor
      # aseprite # Animated sprite editor & pixel art tool
      # this app consumes a lot of storage, so do not install it currently
      # kicad     # 3d printing, eletrical engineering
    ]
    ++ (lib.optionals pkgs.stdenv.isx86_64 [
      # https://github.com/edolstra/nix-warez/blob/master/blender/flake.nix
      blender-bin.packages.${pkgs.system}.blender_4_2 # 3d modeling
      ldtk # A modern, versatile 2D level editor
      # fpga
-    pkgs-unstable.python313Packages.apycula # gowin fpga
+      # python313Packages.apycula # gowin fpga
-    pkgs-unstable.yosys # fpga synthesis
+      # yosys # fpga synthesis
-    pkgs-unstable.nextpnr # fpga place and route
+      # nextpnr # fpga place and route
-    pkgs-unstable.openfpgaloader # fpga programming
+      # openfpgaloader # fpga programming
      # nur-ryan4yin.packages.${pkgs.system}.gowin-eda-edu-ide # app: `gowin-env` => `gw_ide` / `gw_pack` / ...
-  ];
+    ]);
  programs = {
    # live streaming
    obs-studio = {
-      enable = true;
+      enable = pkgs.stdenv.isx86_64;
-      plugins = with pkgs.obs-studio-plugins; [
+      plugins =
        with pkgs.obs-studio-plugins;
        [
          # screen capture
          wlrobs
          # obs-ndi
        obs-vaapi
          # obs-nvfbc
          obs-teleport
          # obs-hyperion
          droidcam-obs
          obs-vkcapture
          obs-gstreamer
        obs-3d-effect
          input-overlay
          obs-multi-rtmp
          obs-source-clone
@@ -61,7 +68,11 @@
          obs-backgroundremoval
          # advanced-scene-switcher
          obs-pipewire-audio-capture
-      ];
+        ]
        ++ (lib.optionals pkgs.stdenv.isx86_64 [
          obs-vaapi
          obs-3d-effect
        ]);
    };
  };
 }
@@ -1,3 +1,4 @@
-{mylib, ...}: {
+{ mylib, ... }:
 {
  imports = mylib.scanPaths ./.;
 }
@@ -0,0 +1,66 @@
 {
  pkgs,
  anyrun,
  ...
 }:
 let
  anyrunPackages = anyrun.packages.${pkgs.system};
 in
 {
  imports = [
    (
      { modulesPath, ... }:
      {
        # Important! We disable home-manager's module to avoid option
        # definition collisions
        disabledModules = [ "${modulesPath}/programs/anyrun.nix" ];
      }
    )
    anyrun.homeManagerModules.default
  ];
  programs.anyrun = {
    enable = true;
    # The package should come from the same flake as all the plugins to avoid breakage.
    package = anyrunPackages.anyrun;
    config = {
      # The horizontal position.
      # when using `fraction`, it sets a fraction of the width or height of the screen
      x.fraction = 0.5; # at the middle of the screen
      # The vertical position.
      y.fraction = 0.05; # at the top of the screen
      # The width of the runner.
      width.fraction = 0.3; # 30% of the screen
      hideIcons = false;
      ignoreExclusiveZones = false;
      layer = "overlay";
      hidePluginInfo = false;
      closeOnClick = true;
      showResultsImmediately = true;
      maxEntries = null;
      # https://github.com/anyrun-org/anyrun/tree/master/plugins
      plugins = with anyrunPackages; [
        applications # Launch applications
        dictionary # Look up word definitions using the Free Dictionary API.
        nix-run # search & run graphical apps from nixpkgs via `nix run`, without installing it.
        # randr         # quickly change monitor configurations on the fly
        rink # A simple calculator plugin
        symbols # Look up unicode symbols and custom user defined symbols.
        translate # ":zh <text to translate>" Quickly translate text using the Google Translate API.
        niri-focus # Search for & focus the window via title/appid on Niri
      ];
    };
    extraConfigFiles = {
      "symbols.ron".source = ./conf/anyrun/symbols.ron;
      "applications.ron".source = ./conf/anyrun/applications.ron;
    };
  };
  # https://github.com/anyrun-org/anyrun/discussions/179
  xdg.configFile."anyrun/style.css".source = ./conf/anyrun/style.css;
 }
@@ -0,0 +1,16 @@
 Config(
  // Also show the Desktop Actions defined in the desktop files, e.g. "New Window" from LibreWolf
  desktop_actions: true,
  max_entries: 5,
  // The terminal used for running terminal based desktop entries, if left as `None` a static list of terminals is used
  // to determine what terminal to use.
  terminal: Some(Terminal(
    // The main terminal command
    command: "alacritty",
    // What arguments should be passed to the terminal process to run the command correctly
    // {} is replaced with the command in the desktop entry
    args: "-e {}",
  )),
 )
@@ -0,0 +1,101 @@
 /* ===== Color variables ===== */
 :root {
  --bg-color: #313244;
  --fg-color: #cdd6f4;
  --primary-color: #89b4fa;
  --secondary-color: #cba6f7;
  --border-color: var(--primary-color);
  --selected-bg-color: var(--primary-color);
  --selected-fg-color: var(--bg-color);
 }
 /* ===== Global reset ===== */
 * {
  all: unset;
  font-family: "JetBrainsMono Nerd Font", monospace;
 }
 /* ===== Transparent window ===== */
 window {
  background: transparent;
 }
 /* ===== Main container ===== */
 box.main {
  border-radius: 16px;
  background-color: color-mix(in srgb, var(--bg-color) 80%, transparent);
  border: 0.5px solid color-mix(in srgb, var(--fg-color) 25%, transparent);
  padding: 12px; /* add uniform padding around the whole box */
 }
 /* ===== Input field ===== */
 text {
  font-size: 1.3rem;
  background: transparent;
  border: 1px solid var(--border-color);
  border-radius: 16px;
  margin-bottom: 12px;
  padding: 5px 10px;
  min-height: 44px;
  caret-color: var(--primary-color);
 }
 /* ===== List container ===== */
 .matches {
  background-color: transparent;
 }
 /* ===== Single match row ===== */
 .match {
  font-size: 1.1rem;
  padding: 4px 10px; /* tight vertical spacing */
  border-radius: 6px;
 }
 /* Remove default label margins */
 .match * {
  margin: 0;
  padding: 0;
  line-height: 1;
 }
 /* Selected / hover state */
 .match:selected,
 .match:hover {
  background-color: var(--selected-bg-color);
  color: var(--selected-fg-color);
 }
 .match:selected label.plugin.info,
 .match:hover label.plugin.info {
  color: var(--selected-fg-color);
 }
 .match:selected label.match.description,
 .match:hover label.match.description {
  color: color-mix(in srgb, var(--selected-fg-color) 90%, transparent);
 }
 /* ===== Plugin info label ===== */
 label.plugin.info {
  color: var(--fg-color);
  font-size: 1rem;
  min-width: 160px;
  text-align: left;
 }
 /* ===== Description label ===== */
 label.match.description {
  font-size: 0rem;
  color: var(--fg-color);
 }
 /* ===== Fade-in animation ===== */
@keyframes fade {
  0% {
    opacity: 0;
  }
  100% {
    opacity: 1;
  }
 }
@@ -0,0 +1,10 @@
 Config(
  // The prefix that the search needs to begin with to yield symbol results
  prefix: "",
  // Custom user defined symbols to be included along the unicode symbols
  symbols: {
    // "name": "text to be copied"
    "shrug": "¯\\_(ツ)_/¯",
  },
  max_entries: 3,
 )
@@ -0,0 +1,37 @@
 general {
    lock_cmd = pidof swaylock || swaylock              # avoid starting multiple instances
    before_sleep_cmd = loginctl lock-session          # lock before suspend
    after_sleep_cmd = hyprctl dispatch dpms on        # resume dpms after suspend
    ignore_dbus_inhibit = false                       # whether to ignore dbus-sent idle-inhibit requests
 }
 listener { 
    timeout = 180                                                      # 3 minutes
    # List devices: brightnessctl --list
    # Adjust keyboard backlight: brightnessctl -d kbd_backlight set 50%
    on-timeout = brightnessctl --save --device=kbd_backlight set 0     # turn off keyboard backlight.
    on-resume = brightnessctl --restore --device=kbd_backlight         # turn on keyboard backlight.
 }
 # listener {
 #     timeout = 600                                # 10min.
 #     on-timeout = brightnessctl -s set 10         # set monitor backlight to minimum, avoid 0 on OLED monitor.
 #     on-resume = brightnessctl -r                 # monitor backlight restore.
 # }
 listener {
    timeout = 1600                                     # 20 minutes
    on-timeout = pidof swaylock || swaylock           # lock screen
    on-resume = hyprctl dispatch dpms on              # monitor wake up
 }
 listener {
    timeout = 1660                                             # 31 minutes
    on-timeout = hyprctl dispatch dpms off                     # screen off
    on-resume = hyprctl dispatch dpms on && brightnessctl -r   # monitor wake up & screen on
 }
 # listener {
 #     timeout = 1800                                # 30min
 #     on-timeout = systemctl suspend                # suspend pc
 # }
@@ -12,7 +12,7 @@ on-touch=dismiss
 on-notify=exec mpv /usr/share/sounds/freedesktop/stereo/message.oga
 # STYLE OPTIONS
-font=JetBrains Mono 10
+font=Maple Mono NF CN
 width=300
 height=100
 margin=10
--- a/Show More
+++ b/Show More