treewide: update

I honestly have no idea how to commit this pile of stuff one by one...

.sops.yaml

@@ -8,6 +8,11 @@ keys:
   - &blacksteel age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
   - &lightsail-tokyo age1vw4kf5v8cfnhfhvl0eyvqzpvy9hpfv9enffvzyt95tx5mu7s5dxqjqw0fa
 creation_rules:
+  - path_regex: hosts/blacksteel/secrets.yaml$
+    key_groups:
+      - age:
+          - *guanranwang
+          - *blacksteel
   - path_regex: hosts/lightsail-tokyo/secrets.yaml$
     key_groups:
       - age:

flake.lock

@@ -1,5 +1,26 @@
 {
   "nodes": {
+    "aagl": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1716425853,
+        "narHash": "sha256-PSd1jStP3SfJB3JvHRVjHpGwy3eKjni06VciEly0rHQ=",
+        "owner": "ezKEa",
+        "repo": "aagl-gtk-on-nix",
+        "rev": "fa6201a1cfcaa84d442c9c9b17c2e79df99f444b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ezKEa",
+        "repo": "aagl-gtk-on-nix",
+        "type": "github"
+      }
+    },
     "berberman": {
       "inputs": {
         "nixpkgs": [
@@ -10,11 +31,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714155185,
+        "lastModified": 1716307996,
-        "narHash": "sha256-/waEN3vHOgWHqRi4p3lbndS8C3iFl1ZQA60dR0CrJco=",
+        "narHash": "sha256-yuyK5HpOIbzkptgvuL+jqi+/Jy1XYzjsNUN2AUIq+Wc=",
         "owner": "berberman",
         "repo": "flakes",
-        "rev": "8609046ac57e6b32e601c6577562c3eb75ae95f6",
+        "rev": "09f7b705563c36221e89d0e9bc156b29c0a5d6f2",
         "type": "github"
       },
       "original": {
@@ -30,11 +51,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714536327,
+        "lastModified": 1716156051,
-        "narHash": "sha256-zu4+LcygJwdyFHunTMeDFltBZ9+hoWvR/1A7IEy7ChA=",
+        "narHash": "sha256-TjUX7WWRcrhuUxDHsR8pDR2N7jitqZehgCVSy3kBeS8=",
         "owner": "ipetkov",
         "repo": "crane",
-        "rev": "3124551aebd8db15d4560716d4f903bd44c64e4a",
+        "rev": "7443df1c478947bf96a2e699209f53b2db26209d",
         "type": "github"
       },
       "original": {
@@ -50,11 +71,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714612856,
+        "lastModified": 1716431128,
-        "narHash": "sha256-W7+rtMzRmdovzndN2NYUv5xzkbMudtQ3jbyFuGk0O1E=",
+        "narHash": "sha256-t3T8HlX3udO6f4ilLcN+j5eC3m2gqsouzSGiriKK6vk=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "d57058eb09dd5ec00c746df34fe0a603ea744370",
+        "rev": "7ffc4354dfeb37c8c725ae1465f04a9b45ec8606",
         "type": "github"
       },
       "original": {
@@ -64,6 +85,22 @@
       }
     },
     "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
       "locked": {
         "lastModified": 1696426674,
         "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
@@ -85,11 +122,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714641030,
+        "lastModified": 1715865404,
-        "narHash": "sha256-yzcRNDoyVP7+SCNX0wmuDju1NUCt8Dz9+lyUXEI0dbI=",
+        "narHash": "sha256-/GJvTdTpuDjNn84j82cU6bXztE0MSkdnTWClUCRub78=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "e5d10a24b66c3ea8f150e47dfdb0416ab7c3390e",
+        "rev": "8dc45382d5206bd292f9c2768b8058a8fd8311d9",
         "type": "github"
       },
       "original": {
@@ -145,11 +182,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714679908,
+        "lastModified": 1716457508,
-        "narHash": "sha256-KzcXzDvDJjX34en8f3Zimm396x6idbt+cu4tWDVS2FI=",
+        "narHash": "sha256-ZxzffLuWRyuMrkVVq7wastNUqeO0HJL9xqfY1QsYaqo=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "9036fe9ef8e15a819fa76f47a8b1f287903fb848",
+        "rev": "850cb322046ef1a268449cf1ceda5fd24d930b05",
         "type": "github"
       },
       "original": {
@@ -247,11 +284,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713946171,
+        "lastModified": 1716329735,
-        "narHash": "sha256-lc75rgRQLdp4Dzogv5cfqOg6qYc5Rp83oedF2t0kDp8=",
+        "narHash": "sha256-ap51w+VqG21vuzyQ04WrhI2YbWHd3UGz0e7dc/QQmoA=",
         "owner": "LnL7",
         "repo": "nix-darwin",
-        "rev": "230a197063de9287128e2c68a7a4b0cd7d0b50a7",
+        "rev": "eac4f25028c1975a939c8f8fba95c12f8a25e01c",
         "type": "github"
       },
       "original": {
@@ -273,11 +310,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713988078,
+        "lastModified": 1715807870,
-        "narHash": "sha256-scRrzQQyJAT0iPAd8AZvolgiq7npatsfytwnduESndI=",
+        "narHash": "sha256-lutvG1LFGSpXsGA7U4TWfdfq6p71WdSlhw3vM4W/Opk=",
         "owner": "Gerschtli",
         "repo": "nix-formatter-pack",
-        "rev": "08d0135dbe95992b5f8d54c351ce62be2177f0b4",
+        "rev": "ab5feb867e5d074918852de6134500a82a09dc48",
         "type": "github"
       },
       "original": {
@@ -296,11 +333,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714303849,
+        "lastModified": 1716409168,
-        "narHash": "sha256-o/IgiwA0ZS/nMh5YB0bt+ae3Lt+tlbQouY/xL7tB5h0=",
+        "narHash": "sha256-EhfEm11GRKDJVWeCRZ9uH6PZC6I0rAKTTEOedOlEfEI=",
         "owner": "fufexan",
         "repo": "nix-gaming",
-        "rev": "dbb96ae98e723128cf5a612480ba6187113f5e49",
+        "rev": "72a38144721f978979d09f01e0929457c347d1f3",
         "type": "github"
       },
       "original": {
@@ -350,11 +387,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714685946,
+        "lastModified": 1716413945,
-        "narHash": "sha256-09YdG9ExCFj9Ngrc1qXZBtn6LRyzFG2KcVVcl295tmU=",
+        "narHash": "sha256-BND2qR3ijnT1pS0vonpzlloeJqcnkLsz863JVl4Hb48=",
         "owner": "jacekszymanski",
         "repo": "nixcasks",
-        "rev": "a0bc85d5d4d3c3e83c637cfb8b0830ed55020bf2",
+        "rev": "8d9c80f1ffd737aa1a2660bcf8fecbd3176dc71e",
         "type": "github"
       },
       "original": {
@@ -365,11 +402,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1714465198,
+        "lastModified": 1716173274,
-        "narHash": "sha256-ySkEJvS0gPz2UhXm0H3P181T8fUxvDVcoUyGn0Kc5AI=",
+        "narHash": "sha256-FC21Bn4m6ctajMjiUof30awPBH/7WjD0M5yqrWepZbY=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "68d680c1b7c0e67a9b2144d6776583ee83664ef4",
+        "rev": "d9e0b26202fd500cf3e79f73653cce7f7d541191",
         "type": "github"
       },
       "original": {
@@ -395,16 +432,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1714750568,
+        "lastModified": 1716358718,
-        "narHash": "sha256-HHx3NGN7gHZdfnyXF961sxr9FcxM5bg4gweeHEnRxXQ=",
+        "narHash": "sha256-NQbegJb2ZZnAqp2EJhWwTf6DrZXSpA6xZCEq+RGV1r0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e96601ecf084d9d6a366a4f0da7f36479f67f81e",
+        "rev": "3f316d2a50699a78afe5e77ca486ad553169061e",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable-small",
+        "ref": "nixpkgs-unstable",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -427,11 +464,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1714531828,
+        "lastModified": 1716361217,
-        "narHash": "sha256-ILsf3bdY/hNNI/Hu5bSt2/KbmHaAVhBbNUOdGztTHEg=",
+        "narHash": "sha256-mzZDr00WUiUXVm1ujBVv6A0qRd8okaITyUp4ezYRgc4=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0638fe2715d998fa81d173aad264eb671ce2ebc1",
+        "rev": "46397778ef1f73414b03ed553a3368f0e7e33c2f",
         "type": "github"
       },
       "original": {
@@ -482,11 +519,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1714681542,
+        "lastModified": 1716479105,
-        "narHash": "sha256-7WQo+TMORkw/Bo1AADX7IuYu28rWVJN7qMTq3QDWU9E=",
+        "narHash": "sha256-O5vAr3D1Kxo+BCzL25bR6H3IwLZISj/B29OVGon216k=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "6132349be4a6cfe62cfe744d622a645e4981d458",
+        "rev": "b3d163c563387c70d9a4ee1055e6c9def436f529",
         "type": "github"
       },
       "original": {
@@ -526,9 +563,6 @@
         "flake-compat": [
           "flake-compat"
         ],
-        "flake-utils": [
-          "flake-utils"
-        ],
         "gitignore": [
           "gitignore"
         ],
@@ -540,11 +574,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714478972,
+        "lastModified": 1716213921,
-        "narHash": "sha256-q//cgb52vv81uOuwz1LaXElp3XAe1TqrABXODAEF6Sk=",
+        "narHash": "sha256-xrsYFST8ij4QWaV6HEokCUNIZLjjLP1bYC60K8XiBVA=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "2849da033884f54822af194400f8dff435ada242",
+        "rev": "0e8fcc54b842ad8428c9e705cb5994eaf05c26a0",
         "type": "github"
       },
       "original": {
@@ -555,10 +589,11 @@
     },
     "root": {
       "inputs": {
+        "aagl": "aagl",
         "berberman": "berberman",
         "crane": "crane",
         "disko": "disko",
-        "flake-compat": "flake-compat",
+        "flake-compat": "flake-compat_2",
         "flake-parts": "flake-parts",
         "flake-utils": "flake-utils",
         "gitignore": "gitignore",
@@ -599,11 +634,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714616033,
+        "lastModified": 1716430594,
-        "narHash": "sha256-JcWAjIDl3h0bE/pII0emeHwokTeBl+SWrzwrjoRu7a0=",
+        "narHash": "sha256-vdVzaGD5p+KG7XHepIeX5rUPmdzEcF2w6rhqfr0SNkI=",
         "owner": "oxalica",
         "repo": "rust-overlay",
-        "rev": "3e416d5067ba31ff8ac31eeb763e4388bdf45089",
+        "rev": "ee0db3aeebafeaada2b98d076de6d314b4c8682e",
         "type": "github"
       },
       "original": {
@@ -638,11 +673,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1713892811,
+        "lastModified": 1716400300,
-        "narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=",
+        "narHash": "sha256-0lMkIk9h3AzOHs1dCL9RXvvN4PM8VBKb+cyGsqOKa4c=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd",
+        "rev": "b549832718b8946e875c016a4785d204fcfc2e53",
         "type": "github"
       },
       "original": {
@@ -681,11 +716,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714611022,
+        "lastModified": 1716425501,
-        "narHash": "sha256-Cneh2G54TO1eVQBxLZp0JlW8LWbTE/N1WjcE2W+F3pI=",
+        "narHash": "sha256-BSLhmGYY1khyyBAjraR+N0Pa9Nha/et5yQQlEZxcfkU=",
         "owner": "nix-community",
         "repo": "srvos",
-        "rev": "1fa90a0a81fec38c117397fde79733cc78f12815",
+        "rev": "1122cd50a23647e09c3e7a679d37ec02113bc412",
         "type": "github"
       },
       "original": {
@@ -716,11 +751,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714058656,
+        "lastModified": 1715940852,
-        "narHash": "sha256-Qv4RBm4LKuO4fNOfx9wl40W2rBbv5u5m+whxRYUMiaA=",
+        "narHash": "sha256-wJqHMg/K6X3JGAE9YLM0LsuKrKb4XiBeVaoeMNlReZg=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "c6aaf729f34a36c445618580a9f95a48f5e4e03f",
+        "rev": "2fba33a182602b9d49f0b2440513e5ee091d838b",
         "type": "github"
       },
       "original": {

flake.nix

@@ -7,9 +7,13 @@
     #       `nixpkgs-unstable` contains less(?) jobs, and usually updates faster.
     #
     # REFERENCE: https://discourse.nixos.org/t/differences-between-nix-channels/13998/5
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable-small";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
     nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-23.11";
 
+    aagl = {
+      url = "github:ezKEa/aagl-gtk-on-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
     berberman = {
       url = "github:berberman/flakes";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -140,7 +144,6 @@
       inputs.nixpkgs.follows = "nixpkgs";
       inputs.nixpkgs-stable.follows = "nixpkgs-stable";
       inputs.flake-compat.follows = "flake-compat";
-      inputs.flake-utils.follows = "flake-utils";
       inputs.gitignore.follows = "gitignore";
     };
     rust-overlay = {

hosts/aristotle/default.nix

@@ -1,6 +1,8 @@
 {
   pkgs,
   inputs,
+  config,
+  lib,
   ...
 }: {
   imports = [
@@ -53,4 +55,17 @@
 
   # for udev rules
   programs.adb.enable = true;
+
+  # fucking hell
+  programs.anime-game-launcher.enable = true;
+
+  # FIXME:
+  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.mkDriver {
+    version = "555.42.02";
+    sha256_64bit = "sha256-k7cI3ZDlKp4mT46jMkLaIrc2YUx1lh1wj/J4SVSHWyk=";
+    sha256_aarch64 = "sha256-rtDxQjClJ+gyrCLvdZlT56YyHQ4sbaL+d5tL4L4VfkA=";
+    openSha256 = "sha256-rtDxQjClJ+gyrCLvdZlT56YyHQ4sbaL+d5tL4L4VfkA=";
+    settingsSha256 = "sha256-rtDxQjClJ+gyrCLvdZlT56YyHQ4sbaL+d5tL4L4VfkA=";
+    persistencedSha256 = lib.fakeSha256;
+  };
 }

hosts/blacksteel/README.md

@@ -10,7 +10,7 @@ MacBookPro11,3
 
 ### Description
 
-Homelab, hosting random stuff through tailscale.
+Homelab, hosting random stuff through tailscale and rathole.
 
 ### TODOs:
 

hosts/blacksteel/anti-feature.nix

@@ -9,22 +9,22 @@
         "adoptopenjdk-hotspot-bin"
         "cargo-bootstrap"
         "cef-binary"
+        "minecraft-server"
         "rustc-bootstrap"
         "rustc-bootstrap-wrapper"
         "sof-firmware"
         "spotify"
-        "vscodium"
-        "papermc"
         "temurin-bin"
+        "vscodium"
       ];
 
     allowUnfree = false;
     allowUnfreePredicate = pkg:
       builtins.elem (lib.getName pkg) [
+        "broadcom-sta"
+        "minecraft-server"
         "nvidia-x11"
         "spotify"
-        "broadcom-sta"
-        "papermc"
       ];
   };
 }

hosts/blacksteel/default.nix

@@ -1,11 +1,15 @@
 {
   pkgs,
   lib,
+  config,
   ...
 }: {
   imports = [
     # OS
-    ../../nixos/profiles/laptop
+    # FIXME:
+    ../../nixos/profiles/common/core
+    ../../nixos/profiles/common/physical
+    ../../nixos/profiles/common/mobile
     ../../nixos/profiles/common/opt-in/clash-meta-client
 
     # Hardware
@@ -19,26 +23,148 @@
   time.timeZone = "Asia/Shanghai";
   system.stateVersion = "23.11";
 
+  ######## Secrets
+  sops = {
+    secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
+      "synapse/secret" = {
+        restartUnits = ["matrix-synapse.service"];
+        owner = config.systemd.services.matrix-synapse.serviceConfig.User;
+      };
+      "synapse/oidc" = {
+        restartUnits = ["matrix-synapse.service"];
+        owner = config.systemd.services.matrix-synapse.serviceConfig.User;
+      };
+      "syncv3/environment" = {
+        restartUnits = ["matrix-sliding-sync.service"];
+      };
+      "mastodon/environment" = {
+        restartUnits = ["mastodon-web.service"];
+      };
+    };
+  };
+
   ######## Services
+  environment.systemPackages = with pkgs; [qbittorrent];
+
   services.tailscale = {
     enable = true;
     openFirewall = true;
   };
 
-  # Minecraft
+  services.frp = {
+    enable = true;
+    role = "client";
+    settings = {
+      serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
+      serverPort = 7000;
+      auth.method = "token";
+      auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE"; # FIXME: secret!
+      proxies = [
+        {
+          name = "synapse";
+          type = "tcp";
+          localIP = "127.0.0.1";
+          localPort = 8100;
+          remotePort = 8600;
+        }
+        {
+          name = "syncv3";
+          type = "tcp";
+          localIP = "127.0.0.1";
+          remotePort = 8700;
+          plugin = {
+            type = "unix_domain_socket";
+            unixPath = "/run/matrix-sliding-sync/sync.sock";
+          };
+        }
+        {
+          name = "mastodon-web";
+          type = "tcp";
+          localIP = "127.0.0.1";
+          remotePort = 8900;
+          plugin = {
+            type = "unix_domain_socket";
+            unixPath = "/run/mastodon-web/web.socket";
+          };
+        }
+        {
+          name = "mastodon-streaming";
+          type = "tcp";
+          localIP = "127.0.0.1";
+          remotePort = 9000;
+          plugin = {
+            type = "unix_domain_socket";
+            unixPath = "/run/mastodon-streaming/streaming-1.socket";
+          };
+        }
+        {
+          name = "mastodon-system";
+          type = "tcp";
+          localIP = "127.0.0.1";
+          remotePort = 9100;
+          plugin = {
+            type = "static_file";
+            localPath = "/var/lib/mastodon/public-system";
+          };
+        }
+      ];
+    };
+  };
+
+  systemd.services.frp.serviceConfig.SupplementaryGroups = ["mastodon"];
+
+  services.postgresql = {
+    enable = true;
+    settings = {
+      # Generated by pgTune
+      # https://pgtune.leopard.in.ua/#/
+      #
+      # DB Version: 15
+      # OS Type: linux
+      # DB Type: web
+      # Total Memory (RAM): 16 GB
+      # CPUs num: 8
+      # Data Storage: ssd
+
+      max_connections = 200;
+      shared_buffers = "4GB";
+      effective_cache_size = "12GB";
+      maintenance_work_mem = "1GB";
+      checkpoint_completion_target = 0.9;
+      wal_buffers = "16MB";
+      default_statistics_target = 100;
+      random_page_cost = "1.1";
+      effective_io_concurrency = 200;
+      work_mem = "5242kB";
+      huge_pages = "off";
+      min_wal_size = "1GB";
+      max_wal_size = "4GB";
+      max_worker_processes = 8;
+      max_parallel_workers_per_gather = 4;
+      max_parallel_workers = 8;
+      max_parallel_maintenance_workers = 4;
+    };
+    initialScript = pkgs.writeText "synapse-init.sql" ''
+      CREATE ROLE "matrix-synapse" WITH LOGIN PASSWORD 'synapse';
+      CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
+        TEMPLATE template0
+        LC_COLLATE = "C"
+        LC_CTYPE = "C";
+    '';
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    location = "/var/lib/backup/postgresql";
+    compression = "zstd";
+    startAt = "weekly";
+  };
+
   services.minecraft-server = {
     enable = true;
     eula = true;
     openFirewall = true;
 
-    # I should switch to vanilla/fabric one day...
-    package = pkgs.papermc.overrideAttrs {
-      version = "1.20.4-485";
-      hash = "sha256-8bhlv/MU7KDmdL8Ngvg/zLMlGiO4Fswoyn/1diFE65k=";
-    };
-    # TODO: not working for some reason
-    #.override {jre = pkgs.temurin-bin;};
-
     # Aikar's flag
     # https://aikar.co/2018/07/02/tuning-the-jvm-g1gc-garbage-collector-flags-for-minecraft/
     # https://docs.papermc.io/paper/aikars-flags
@@ -82,7 +208,6 @@
     };
   };
 
-  # Samba
   services.samba = {
     enable = true;
     openFirewall = true;
@@ -91,14 +216,105 @@
       "read only" = "no";
     };
   };
+
   services.samba-wsdd = {
     enable = true;
     openFirewall = true;
   };
+
   systemd.tmpfiles.rules = [
     "d /srv/samba/share 0700 guanranwang root"
   ];
 
-  # qBitTorrent
+  services.matrix-synapse = {
-  environment.systemPackages = with pkgs; [qbittorrent];
+    enable = true;
+    withJemalloc = true;
+    extraConfigFiles = [config.sops.secrets."synapse/secret".path];
+    settings = {
+      server_name = "ny4.dev";
+      public_baseurl = "https://matrix.ny4.dev";
+      presence.enabled = false; # tradeoff
+      listeners = [
+        {
+          port = 8100;
+          bind_addresses = ["127.0.0.1"];
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = true;
+            }
+          ];
+        }
+      ];
+
+      # https://element-hq.github.io/synapse/latest/openid.html#keycloak
+      oidc_providers = [
+        {
+          idp_id = "keycloak";
+          idp_name = "id.ny4.dev";
+          issuer = "https://id.ny4.dev/realms/master";
+          client_id = "synapse";
+          client_secret_path = config.sops.secrets."synapse/oidc".path;
+          scopes = ["openid" "profile"];
+          user_mapping_provider.config = {
+            localpart_template = "{{ user.preferred_username }}";
+            display_name_template = "{{ user.name }}";
+          };
+          backchannel_logout_enabled = true;
+          allow_existing_users = true;
+        }
+      ];
+    };
+  };
+
+  systemd.services.matrix-synapse.environment = config.networking.proxy.envVars;
+
+  services.matrix-sliding-sync = {
+    enable = true;
+    environmentFile = config.sops.secrets."syncv3/environment".path;
+    settings = {
+      SYNCV3_SERVER = "http://127.0.0.1:8100";
+      SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock";
+    };
+  };
+
+  systemd.services.matrix-sliding-sync.serviceConfig.RuntimeDirectory = ["matrix-sliding-sync"];
+
+  services.mastodon = {
+    enable = true;
+    localDomain = "ny4.dev";
+    streamingProcesses = 1;
+    # FIXME: this doesn't exist
+    smtp = {
+      createLocally = false;
+      fromAddress = "mastodon@ny4.dev";
+    };
+    extraConfig = rec {
+      SINGLE_USER_MODE = "true";
+      WEB_DOMAIN = "mastodon.ny4.dev";
+
+      # keycloak
+      OMNIAUTH_ONLY = "true";
+      OIDC_ENABLED = "true";
+      OIDC_CLIENT_ID = "mastodon";
+      # OIDC_CLIENT_SECRET # EnvironmentFile
+      OIDC_DISCOVERY = "true";
+      OIDC_DISPLAY_NAME = "id.ny4.dev";
+      OIDC_ISSUER = "https://id.ny4.dev/realms/master";
+      OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback";
+      OIDC_SCOPE = "openid,profile,email";
+      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
+      OIDC_UID_FIELD = "preferred_username";
+    };
+  };
+
+  systemd.services.mastodon-web = {
+    environment = config.networking.proxy.envVars;
+    serviceConfig.EnvironmentFile = [config.sops.secrets."mastodon/environment".path];
+  };
+
+  systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars;
 }

hosts/blacksteel/hardware-configuration.nix

@@ -7,7 +7,6 @@
     inputs.nixpkgs.nixosModules.notDetected
     inputs.nixos-hardware.nixosModules.apple-macbook-pro
     inputs.nixos-hardware.nixosModules.common-cpu-intel
-    inputs.nixos-hardware.nixosModules.common-gpu-intel
     #inputs.nixos-hardware.nixosModules.common-gpu-nvidia-nonprime
     inputs.nixos-hardware.nixosModules.common-hidpi
     inputs.nixos-hardware.nixosModules.common-pc-laptop

hosts/blacksteel/secrets.yaml

@@ -0,0 +1,36 @@
+synapse:
+    secret: ENC[AES256_GCM,data:H7bHbreE4NmpqXHpkPQ5AkwGOAs97YcQhQZIr5zgK1mgHMTGSbMP57elWMyMAQ3+wCy7x9Jx0H2omrdQh39iG32XoVyyMMoVMQ0OCgFa4O77DHdgG+wrWl7VLWNY,iv:cFbMEqJQG482ShZlpoxRhk7z/y5216WucXfJbkMxuxU=,tag:7iUyMlu2yStLLdkC/V9/DQ==,type:str]
+    oidc: ENC[AES256_GCM,data:vGQcPcUfbv6II6buEMKELc1+xZ5XccpEeCy3vZx4fdk=,iv:ORok/FXZ9SA54zD1+OhyFnZAPhGpMpTetWYgge2QSwQ=,tag:7DxrruTbenUfI/V6hGYBaw==,type:str]
+syncv3:
+    environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
+mastodon:
+    environment: ENC[AES256_GCM,data:cEGz8ZEPUmtPXyJx5oB1xOUvya7lSCW4vQKCp6F6WpgakZdrarez0cOzM8VsfNe3lFe6VQ==,iv:17k4EWB4v/79ApfKw5e8FyqJ1zKEn9xxewkrsRbya9A=,tag:dJjVjhEQGjSrxD9FO2hYEw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwdjRrUkJXd3Z2VlhRRDEz
+            YS9DZVlQYmNXeW9qQWtZZlUrZHQrSXFJYWtRCk54Z3NEck51dTR3ZDh3SnEwNXhu
+            ZEI4S1ZEQklDd0ZwTWJwdHNEVlFERWsKLS0tIGRSVjVGR3daR0k2dVVHUmVwMHlL
+            dWtkdkQvMjZqbHp0STA3cnZPYkIzOWMKNGH8hQI4oKrjCAEE5onH9sa2AhdjeUsl
+            PSd1/z0ka0Y2wlPGuGOqIXYg8O1WqFxn/uS6O2YZSpAtw7JulOs8aQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSMHRrOGJ6RkxrZndoZkEy
+            V1NtbEw0SExiaWE1bGtPYXROSFVZNmVTR0RVCkM0OHhxMzhvUzVUMThTc3VyZUFq
+            c3FyVUNpM09WUURnSzY4dW4zS0U3T0EKLS0tIFJQL3BlY1N1bkorYlVqRkVaUmdi
+            bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
+            hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-21T10:09:01Z"
+    mac: ENC[AES256_GCM,data:HwZxrU64AQ9icbPWi5E8wQOfVDuSXF9/S9s9BoWpX4yewarKS/k2kRagaW4pBHeL3QUDXxQuTazaLEb06LyWezuS/ij1InCZu4D4DPe7EQ/YfQTDj/r1iCEvo1X2fLuSQ8+H8p5KXy0iV7rZbFLPYY3puYJTVwVJbI3m2rSU9bw=,iv:MzoOmFFTPbfA8FxPRZ2gL4HcYbBWxFJ+LfBB2fL0CSk=,tag:kIqgrNow4u2sbMKijyAKfg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

hosts/lightsail-tokyo/Caddyfile

@@ -12,11 +12,11 @@
 		# https://infosec.mozilla.org/guidelines/web_security
 		# https://caddyserver.com/docs/caddyfile/directives/header#examples
 
-		Content-Security-Policy "default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
+		?Content-Security-Policy "default-src https: blob: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
-		Permissions-Policy interest-Hpcohort=()
+		?Permissions-Policy interest-Hpcohort=()
-		Strict-Transport-Security max-age=31536000;
+		?Strict-Transport-Security max-age=31536000;
-		X-Content-Type-Options nosniff
+		?X-Content-Type-Options nosniff
-		X-Frame-Options DENY
+		?X-Frame-Options DENY
 	}
 }
 
@@ -45,7 +45,19 @@ www.ny4.dev {
 
 ny4.dev {
 	import default
-	respond "Hello, world!"
+
+	# Synapse
+	header /.well-known/matrix/* Content-Type application/json
+	header /.well-known/matrix/* Access-Control-Allow-Origin *
+	handle_path /.well-known/matrix/* {
+		file_server * {
+			root /var/www/matrix
+		}
+	}
+
+	# Mastodon
+	header /.well-known/webfinger Access-Control-Allow-Origin *
+	redir /.well-known/webfinger https://mastodon.ny4.dev{uri} permanent
 }
 
 searx.ny4.dev {
@@ -65,5 +77,61 @@ uptime.ny4.dev {
 
 ntfy.ny4.dev {
 	import default
-	reverse_proxy localhost:8400
+	reverse_proxy unix//run/ntfy-sh/ntfy.sock
+}
+
+pixiv.ny4.dev {
+	import default
+	basicauth {
+		Guanran928 $2a$14$aI977hGZCX6H9IiyG7avdOFxXFGtlt7DcIahTkInPhEx9Sfhk7bri
+	}
+	reverse_proxy unix//run/pixivfe/pixiv.sock
+}
+
+matrix.ny4.dev {
+	import default
+	reverse_proxy /_matrix/* localhost:8600
+	reverse_proxy /_synapse/client/* localhost:8600
+	reverse_proxy /health localhost:8600
+}
+
+syncv3.ny4.dev {
+	import default
+	reverse_proxy localhost:8700
+}
+
+id.ny4.dev {
+	import default
+	reverse_proxy localhost:8800
+}
+
+element.ny4.dev {
+	import default
+	root * @element@
+	file_server
+}
+
+mastodon.ny4.dev {
+	import default
+	handle_path /system/* {
+		reverse_proxy localhost:9100
+	}
+
+	handle /api/v1/streaming/* {
+		reverse_proxy localhost:9000
+	}
+
+	route * {
+		file_server * {
+			root @mastodon@/public
+			pass_thru
+		}
+		reverse_proxy * localhost:8900
+	}
+
+	handle_errors {
+		root * @mastodon@/public
+		rewrite 500.html
+		file_server
+	}
 }

hosts/lightsail-tokyo/anti-feature.nix

@@ -7,6 +7,8 @@
         "cargo-bootstrap"
         "rustc-bootstrap"
         "rustc-bootstrap-wrapper"
+        "keycloak"
+        "temurin-bin"
       ];
 
     allowUnfree = false;

hosts/lightsail-tokyo/default.nix

@@ -17,16 +17,32 @@
   boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
   system.stateVersion = "23.11";
 
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 4 * 1024; # 4 GiB
+    }
+  ];
+
   # WORKAROUND:
   systemd.services."print-host-key".enable = false;
 
   ### Secrets
-  sops.secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
+  sops = {
-    "hysteria/auth".restartUnits = ["hysteria.service"];
+    secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
-    "searx/environment".restartUnits = ["searx.service"];
+      "hysteria/auth" = {
+        restartUnits = ["hysteria.service"];
+      };
+      "pixivfe/environment" = {
+        restartUnits = ["pixivfe.service"];
+      };
+      "searx/environment" = {
+        restartUnits = ["searx.service"];
+      };
     };
 
-  sops.templates."hysteria.yaml".content = ''
+    templates = {
+      "hysteria.yaml".content = ''
         tls:
           cert: /run/credentials/hysteria.service/cert
           key: /run/credentials/hysteria.service/key
@@ -38,20 +54,47 @@
 
         ${config.sops.placeholder."hysteria/auth"}
       '';
+    };
+  };
 
   ### Services
-  networking.firewall.allowedUDPPorts = [443]; # h3 hysteria -> caddy
+  networking.firewall.allowedUDPPorts = [
-  networking.firewall.allowedTCPPorts = [80 443]; # caddy
+    # hysteria
+    443
+  ];
+  networking.firewall.allowedTCPPorts = [
+    # caddy
+    80
+    443
+
+    # frp
+    7000
+  ];
 
   systemd.tmpfiles.settings = {
     "10-www" = {
       "/var/www/robots/robots.txt".C.argument = toString ./robots.txt;
+      "/var/www/matrix/client".C.argument = toString ./matrix-client.json;
+      "/var/www/matrix/server".C.argument = toString ./matrix-server.json;
     };
   };
 
   services.caddy = {
     enable = true;
-    configFile = ./Caddyfile;
+    configFile = pkgs.substituteAll {
+      src = ./Caddyfile;
+
+      "element" = pkgs.element-web.override {
+        conf.default_server_config."m.homeserver" = let
+          inherit (config.services.matrix-synapse) settings;
+        in {
+          base_url = "https://matrix.ny4.dev";
+          inherit (settings) server_name;
+        };
+      };
+
+      "mastodon" = pkgs.mastodon;
+    };
   };
 
   services.hysteria = {
@@ -64,11 +107,21 @@
     ];
   };
 
+  services.frp = {
+    enable = true;
+    role = "server";
+    settings = {
+      bindPort = 7000;
+      auth.method = "token";
+      auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE";
+    };
+  };
+
   # `journalctl -u murmur.service | grep Password`
   services.murmur = {
     enable = true;
     openFirewall = true;
-    bandwidth = 128000;
+    bandwidth = 256 * 1024; # 256 Kbit/s
   };
 
   services.searx = {
@@ -99,10 +152,45 @@
     enable = true;
     settings = {
       base-url = "https://ntfy.ny4.dev";
-      listen-http = "127.0.0.1:8400";
+      listen-http = "";
+      listen-unix = "/run/ntfy-sh/ntfy.sock";
+      listen-unix-mode = 511; # 0777
+      behind-proxy = true;
     };
   };
 
+  systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = ["ntfy-sh"];
+
+  services.pixivfe = {
+    enable = true;
+    EnvironmentFile = config.sops.secrets."pixivfe/environment".path;
+    settings = {
+      PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock";
+      PIXIVFE_IMAGEPROXY = "https://i.pixiv.re";
+    };
+  };
+
+  systemd.services.pixivfe.serviceConfig = {
+    RuntimeDirectory = ["pixivfe"];
+    ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" ''
+      ${pkgs.coreutils}/bin/sleep 5
+      ${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock
+    '';
+  };
+
+  services.keycloak = {
+    enable = true;
+    settings = {
+      http-host = "127.0.0.1";
+      http-port = 8800;
+      proxy = "edge";
+      hostname-strict-backchannel = true;
+      hostname = "id.ny4.dev";
+      cache = "local";
+    };
+    database.passwordFile = toString (pkgs.writeText "password" "keycloak");
+  };
+
   ### Prevents me from bankrupt
   # https://fmk.im/p/shutdown-aws/
   services.vnstat.enable = true;

hosts/lightsail-tokyo/matrix-client.json

@@ -0,0 +1,8 @@
+{
+  "m.homeserver": {
+    "base_url": "https://matrix.ny4.dev"
+  },
+  "org.matrix.msc3575.proxy": {
+    "url": "https://syncv3.ny4.dev"
+  }
+}

hosts/lightsail-tokyo/matrix-server.json

@@ -0,0 +1,3 @@
+{
+  "m.server": "matrix.ny4.dev:443"
+}

hosts/lightsail-tokyo/robots.txt

@@ -1,33 +1,33 @@
-User-agent: GPTBot
+User-agent: Amazonbot
-Disallow: /
-
-User-agent: ChatGPT-User
-Disallow: /
-
-User-agent: Google-Extended
 Disallow: /
 
 User-agent: CCBot
 Disallow: /
 
-User-agent: Amazonbot
+User-agent: ChatGPT-User
-Disallow: /
-
-User-agent: FacebookBot
-Disallow: /
-
-User-agent: anthopic-ai
 Disallow: /
 
 User-agent: Claude-Web
 Disallow: /
 
-User-agent: cohere-ai
+User-agent: FacebookBot
+Disallow: /
+
+User-agent: GPTBot
+Disallow: /
+
+User-agent: Google-Extended
 Disallow: /
 
 User-agent: Omgilibot
 Disallow: /
 
+User-agent: anthopic-ai
+Disallow: /
+
+User-agent: cohere-ai
+Disallow: /
+
 User-Agent: *
 Disallow: /harming/humans
 Disallow: /ignoring/human/orders

hosts/lightsail-tokyo/secrets.yaml

@@ -2,6 +2,8 @@ hysteria:
     auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str]
 searx:
     environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
+pixivfe:
+    environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -26,8 +28,8 @@ sops:
             R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
             3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-01T11:58:36Z"
+    lastmodified: "2024-05-15T07:19:59Z"
-    mac: ENC[AES256_GCM,data:dC1Q+u26euRWBsbduJC9bI79wZ0HG278Zgiijw65FAaSV6cemtwEul9PYBAOyz81MVSJCS2L7IkV6oUJWRr+nCbMMR19llWFsQNryC4TmthVXpfPkA5KeOHNR0Cz9acaQGdST+4zARYk/8VKYWO+2dX0V/BUN22C1FBu67w21H4=,iv:9CYnuGfW0Ax/rvqRXv+t9DJYF8KmWzeHjI+L6xnhf10=,tag:SQwukFLU9zzOkDGXTbOF4A==,type:str]
+    mac: ENC[AES256_GCM,data:kaOXFVuCPG0enPjvhJRWyHqOrVnlm1+ifFd/ore3WbB0IjDvC3UAuPHQEG/V/wZJOgqx/BmaL31GQWuHHDYgeRqjmcmCFofI4262fuf4XAaCS/vkZCRGTUgqQxmLNBpGNRMxy+Oyk2wCW92Q9HOJl7Suc8snufdext3Nn7AL+TA=,iv:8n6tNsHnwF8iGyTGo15MrpHfWkY4Fuu/Q3DfCFQgGv4=,tag:EbiACYHI14GMQhIBudzgzw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

hosts/socrates/robotnix/flake.nix

@@ -6,15 +6,10 @@
   outputs = inputs: {
     packages.x86_64-linux.default = inputs.self.robotnixConfigurations."socrates".img;
 
-    # FIXME: it doesn't build
-    # hardware/qcom-caf/sm8550/audio/pal/test/PalTest_main.c:56:32: error: unused parameter 'sig' [-Werror,-Wunused-parameter]
-    # static void sigint_handler(int sig)
-    #                                ^
-    # 1 error generated.
     robotnixConfigurations."socrates" = inputs.robotnix.lib.robotnixSystem ({pkgs, ...}: {
       device = "socrates";
       flavor = "lineageos";
-      androidVersion = 13;
+      androidVersion = 14;
 
       apps.chromium.enable = false;
       webview.chromium.enable = false;
@@ -22,32 +17,32 @@
       ccache.enable = true;
 
       source.dirs."device/xiaomi/socrates".src = pkgs.fetchFromGitHub {
-        owner = "kmiit";
+        owner = "danielml3";
         repo = "android_device_xiaomi_socrates";
-        rev = "6548361fe50743d6fe752f5848f63f9965d12d23";
+        rev = "8b48a7a18b8db76d7122ca6e1b5bde8765d16665"; # lineage-21
-        hash = "sha256-traXLuq74MTfUStOqyX3QBBbYAQEtXWTP9PpBjVfK/o=";
+        hash = "sha256-pQIbxpZhaxc7nI8Pl8sjG3kmvD3ComFDowjcKb9eZRo=";
       };
-      source.dirs."device/xiaomi/socrates".patches = [./disable-gapps.patch];
 
       source.dirs."device/xiaomi/socrates-kernel".src = pkgs.fetchFromGitHub {
-        owner = "xiaomi-socrates";
+        owner = "danielml3";
-        repo = "android_device_xiaomi_socrates-kernel";
+        repo = "android_device_xiaomi_socrates";
-        rev = "f13d073698b678442a694b2b2e3eecc997bb5227";
+        rev = "60cd3aebf59cdf96366e8e4a8a1e2887f7d4d063"; # lineage-21-kernel
-        hash = "sha256-Ln7rhdJNbj8imUUaitnUhXMj36Wjuf5IB8UmD6Y1o4c";
+        hash = "sha256-i5QtxvApvGk24WeH6i6nC6jhS2jL2BolRUr/M02y6lc=";
       };
 
       source.dirs."hardware/xiaomi".src = pkgs.fetchFromGitHub {
-        owner = "cupid-development";
+        owner = "LineageOS";
         repo = "android_hardware_xiaomi";
-        rev = "b5167f21ba268a029461bded3f12205e5600b9f0";
+        rev = "4453055456bb452830144d9526342b032289495e"; # lineage-21
-        hash = "sha256-69nyWSjFrTjVsZdX92NZ5lv1H14mtC9dGepaD+nwvhY=";
+        hash = "sha256-kQoHGKsa5L+usIChTMm63P85N8ZGofcllE4Hybf7itA=";
       };
 
+      # TODO:
       source.dirs."vendor/xiaomi/socrates".src = pkgs.fetchFromGitHub {
         owner = "kmiit";
         repo = "android_vendor_xiaomi_socrates";
-        rev = "8808c2f06a7645eaccb4992193f24c188b908418";
+        rev = "";
-        hash = "sha256-jPZxWtTpj5a+EoIVmkU4L0dQD4926HyeM6BE2/1swDw=";
+        hash = "";
       };
     });
   };

nixos/modules/default.nix

@@ -11,5 +11,7 @@
 
     # nixpkgs styled options
     ./services/hysteria.nix
+    ./services/pixivfe.nix
+    ./services/rathole.nix
   ];
 }

nixos/modules/services/pixivfe-pkg.nix

@@ -0,0 +1,37 @@
+{
+  lib,
+  buildGoModule,
+  fetchFromGitea,
+  makeBinaryWrapper,
+}:
+buildGoModule rec {
+  pname = "pixivfe";
+  version = "2.5.1";
+
+  src = fetchFromGitea {
+    domain = "codeberg.org";
+    owner = "VnPower";
+    repo = "PixivFE";
+    rev = "v${version}";
+    hash = "sha256-G2pSPpemMFAbQ9QkI4XAHobv+Em9ZoDUJiO/cwEy4Tc=";
+  };
+
+  vendorHash = "sha256-QapDR964Tn+RxXdkGqCQXacdmlSapF841Y84n4d/6VI=";
+
+  nativeBuildInputs = [makeBinaryWrapper];
+
+  # PixivFE require files from source code
+  postInstall = ''
+    wrapProgram $out/bin/pixivfe \
+      --chdir ${src}
+  '';
+
+  meta = {
+    description = "A privacy respecting frontend for Pixiv";
+    homepage = "https://codeberg.org/VnPower/PixivFE";
+    license = lib.licenses.agpl3Only;
+    mainProgram = "pixivfe";
+    maintainers = with lib.maintainers; [Guanran928];
+    platforms = lib.platforms.linux;
+  };
+}

nixos/modules/services/pixivfe.nix

@@ -0,0 +1,130 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.services.pixivfe;
+in {
+  options.services.pixivfe = {
+    enable = lib.mkEnableOption "PixivFE, a privacy respecting frontend for Pixiv";
+
+    # package = lib.mkPackageOption pkgs "pixivfe" {};
+    package = lib.mkOption {
+      default = pkgs.callPackage ./pixivfe-pkg.nix {};
+    };
+
+    openFirewall = lib.mkEnableOption "open ports in the firewall needed for the daemon to function";
+
+    settings = lib.mkOption {
+      type = lib.types.nullOr (lib.types.attrsOf lib.types.anything);
+      default = null;
+      example = lib.literalExpression ''
+        {
+          PIXIVFE_PORT = "8282";
+          PIXIVFE_TOKEN = "123456_AaBbccDDeeFFggHHIiJjkkllmMnnooPP";
+        };
+      '';
+      description = ''
+        Additional configuration for PixivFE, see
+        <https://pixivfe.pages.dev/environment-variables/> for supported values.
+        For secrets use `EnvironmentFile` option instead.
+      '';
+    };
+
+    EnvironmentFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+      example = lib.literalExpression ''
+        /run/secrets/environment
+      '';
+      description = ''
+        File containing environment variables to be passed to the PixivFE service.
+
+        See `systemd.exec(5)` for more information.
+      '';
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion =
+          if cfg.openFirewall
+          then (cfg.settings ? PIXIVFE_PORT)
+          else true;
+        message = ''
+          PIXIVFE_PORT must be specified for NixOS to open a port.
+
+          See https://pixivfe.pages.dev/environment-variables/ for more information.
+        '';
+      }
+      {
+        assertion =
+          if (cfg.EnvironmentFile == null)
+          then (cfg.settings ? PIXIVFE_UNIXSOCKET) || (cfg.settings ? PIXIVFE_PORT)
+          else true;
+        message = ''
+          PIXIVFE_PORT or PIXIVFE_UNIXSOCKET must be set for PixivFE to run.
+
+          See https://pixivfe.pages.dev/environment-variables/ for more information.
+        '';
+      }
+      {
+        assertion =
+          if (cfg.EnvironmentFile == null)
+          then cfg.settings ? PIXIVFE_TOKEN
+          else true;
+        message = ''
+          PIXIVFE_TOKEN must be set for PixivFE to run.
+
+          See https://pixivfe.pages.dev/environment-variables/ for more information.
+        '';
+      }
+    ];
+
+    systemd.services."pixivfe" = {
+      description = "PixivFE, a privacy respecting frontend for Pixiv.";
+      documentation = ["https://pixivfe.pages.dev/"];
+      wantedBy = ["multi-user.target"];
+      after = ["network-online.target"];
+      wants = ["network-online.target"];
+      environment = lib.mkIf (cfg.settings != null) (lib.mapAttrs (_: v:
+        if lib.isBool v
+        then lib.boolToString v
+        else toString v)
+      cfg.settings);
+      serviceConfig = {
+        inherit (cfg) EnvironmentFile;
+        ExecStart = lib.getExe cfg.package;
+        DynamicUser = true;
+
+        ### Hardening
+        AmbientCapabilities = ["CAP_NET_BIND_SERVICE"]; # For ports <= 1024
+        CapabilityBoundingSet = ["CAP_NET_BIND_SERVICE"];
+        NoNewPrivileges = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        ProcSubset = "pid";
+        ProtectClock = true;
+        ProtectControlGroups = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        RestrictNamespaces = true;
+        RestrictRealtime = true;
+        RestrictSUIDSGID = true;
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "@system-service";
+        UMask = "0077";
+      };
+    };
+
+    networking.firewall = lib.mkIf cfg.openFirewall {
+      allowedTCPPorts = [cfg.settings.PIXIVFE_PORT];
+    };
+  };
+}

nixos/modules/services/rathole.nix

@@ -0,0 +1,50 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.services.rathole;
+in {
+  options.services.rathole = {
+    enable = lib.mkEnableOption "Rathole, a lightweight and high-performance reverse proxy for NAT traversal";
+
+    package = lib.mkPackageOption pkgs "rathole" {};
+
+    configFile = lib.mkOption {
+      default = null;
+      type = lib.types.nullOr lib.types.path;
+      description = "Configuration file to use.";
+    };
+
+    credentials = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [];
+      example = lib.literalExpression ''
+        [
+          "cert:/tmp/certificate.crt"
+          "key:/tmp/private-key.key"
+        ];
+      '';
+      description = ''
+        Extra credentials loaded by systemd, you can access them by `/run/credentials/rathole.service/foobar`.
+
+        See `systemd.exec(5)` for more information.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.services.rathole = {
+      description = "Rathole daemon, a lightweight and high-performance reverse proxy for NAT traversal.";
+      wantedBy = ["multi-user.target"];
+      after = ["network-online.target"];
+      wants = ["network-online.target"];
+      serviceConfig = {
+        ExecStart = "${lib.getExe cfg.package} $\{CREDENTIALS_DIRECTORY}/rathole.toml";
+        LoadCredential = ["rathole.toml:${cfg.configFile}"] ++ cfg.credentials;
+        DynamicUser = true;
+      };
+    };
+  };
+}

nixos/profiles/common/core/default.nix

@@ -5,22 +5,24 @@
   pkgs,
   ...
 }: {
-  imports = [
+  imports =
+    [
       ./hardening
       ./networking
       ./nix
-
+    ]
-    # Flake modules
+    ++ (with inputs; [
-    inputs.disko.nixosModules.disko
+      aagl.nixosModules.default
-    inputs.home-manager.nixosModules.home-manager
+      disko.nixosModules.disko
-    inputs.impermanence.nixosModules.impermanence
+      home-manager.nixosModules.home-manager
-    inputs.lanzaboote.nixosModules.lanzaboote
+      impermanence.nixosModules.impermanence
-    inputs.nix-gaming.nixosModules.pipewireLowLatency
+      lanzaboote.nixosModules.lanzaboote
-    inputs.nur.nixosModules.nur
+      nix-gaming.nixosModules.pipewireLowLatency
-    inputs.self.nixosModules.default
+      nixos-sensible.nixosModules.default
-    inputs.sops-nix.nixosModules.sops
+      nur.nixosModules.nur
-    inputs.nixos-sensible.nixosModules.default
+      self.nixosModules.default
-  ];
+      sops-nix.nixosModules.sops
+    ]);
 
   nixpkgs.overlays = [
     inputs.self.overlays.patches

nixos/profiles/common/graphical/default.nix

@@ -52,6 +52,7 @@
         default = "gtk";
         "org.freedesktop.impl.portal.ScreenCast" = "wlr";
         "org.freedesktop.impl.portal.Screenshot" = "wlr";
+        "org.freedesktop.impl.portal.Inhibit" = "none";
       };
     };
   };
@@ -70,7 +71,7 @@
       package = pkgs.valent;
     };
   };
-  services.xserver.libinput = {
+  services.libinput = {
     touchpad = {
       accelProfile = "flat";
       naturalScrolling = true;

nixos/profiles/common/graphical/home/theme.nix

@@ -30,8 +30,8 @@
     };
 
     theme = {
-      name = "adw-gtk3-dark";
+      name = "Adwaita-dark";
-      package = pkgs.adw-gtk3;
+      package = pkgs.gnome-themes-extra;
     };
   };
 

nixos/profiles/common/graphical/home/wallpapers/default.nix

@@ -18,6 +18,23 @@ in {
       url = "https://i.pximg.net/img-original/img/2023/03/29/01/29/52/106654974_p0.jpg"; # https://www.pixiv.net/en/artworks/106654974
       hash = "sha256-mB/D46JCddOlMUtFQu7R0OtRMIoApbT1nnRv0VyzEb8=";
     };
+    "backgrounds/genshin1.jpg".source = pkgs.fetchurl {
+      inherit curlOptsList;
+      url = "https://i.pximg.net/img-original/img/2022/09/29/00/00/15/101553430_p0.jpg"; # https://www.pixiv.net/artworks/101553430
+      hash = "sha256-VMUxBExuA5LDNQVeBBf4btyWsETN0B7pr0bTrBiJHaI=";
+    };
+
+    "backgrounds/genshin2.jpg".source = pkgs.fetchurl {
+      url = "https://imglf3.lf127.net/img/7196a1c5f06b5e38/T0FlK2VJTUI4Q1ZGbkhrc0ZWMlpiT3RJU1RQOXdJcGhrS3ZMOTBKdmR3OD0.jpeg"; # https://57friend.lofter.com/post/1d7a55da_2b5bc7172
+      hash = "sha256-jO8S+WNWfel74+CtMbfd9F78CuyXFK5ka72Br9b10P4=";
+    };
+
+    "backgrounds/genshin3.jpg".source = pkgs.fetchurl {
+      inherit curlOptsList;
+      url = "https://i.pximg.net/img-original/img/2022/06/21/20/00/28/99170653_p0.jpg"; # https://www.pixiv.net/artworks/99170653
+      hash = "sha256-7DmmJRZyJKU06j89X3x5NlOElFhdilIhzQMs3ynZKh4=";
+    };
+
     "backgrounds/summer.jpg".source = let
       image = pkgs.fetchurl {
         inherit curlOptsList;

overlays/nautilus.nix

@@ -3,7 +3,7 @@
     prev.gnome
     // {
       # https://aur.archlinux.org/pkgbase/nautilus-typeahead
-      nautilus = prev.gnome.nautilus.overrideAttrs (old: {
+      nautilus = prev.gnome.nautilus.overrideAttrs {
         src = prev.fetchFromGitLab {
           domain = "gitlab.gnome.org";
           owner = "albertvaka";
@@ -16,6 +16,6 @@
         postPatch = ''
           awk -i inplace '/type-ahead-search/{c++;} c==1 && /true/{sub("true", "false"); c++;} 1' data/org.gnome.nautilus.gschema.xml
         '';
-      });
+      };
     };
 }