treewide: cleanup

.sops.yaml

@@ -18,6 +18,18 @@ creation_rules:
       - age:
           - *guanranwang
           - *lightsail-tokyo
+  - path_regex: nixos/profiles/opt-in/mihomo/secrets.yaml$
+    key_groups:
+      - age:
+          - *guanranwang
+          - *aristotle
+          - *blacksteel
+  - path_regex: nixos/profiles/opt-in/wireless/secrets.yaml$
+    key_groups:
+      - age:
+          - *guanranwang
+          - *aristotle
+          - *blacksteel
   - path_regex: secrets.yaml$
     key_groups:
       - age:

darwin/profiles/desktop/packages/_homebrew.nix

@@ -1,11 +0,0 @@
-{
-  homebrew = {
-    enable = true;
-    casks = [
-      "altserver"
-      "squirrel"
-      "librewolf"
-      "google-chrome"
-    ];
-  };
-}

darwin/profiles/desktop/packages/default.nix

@@ -1,7 +1,6 @@
 {...}: {
   imports = [
     ./fonts.nix
-    # ./homebrew.nix
     ./window-manager.nix
   ];
 }

flake.nix

@@ -159,7 +159,8 @@
     // (let
       mkNixOS = system: modules:
         inputs.nixpkgs.lib.nixosSystem {
-          inherit system modules;
+          inherit system;
+          modules = [./nixos/profiles/core] ++ modules;
           specialArgs = {inherit inputs;};
         };
 
@@ -208,12 +209,18 @@
         };
 
         "lightsail-tokyo" = {
-          imports = [./hosts/lightsail-tokyo];
+          imports = [
+            ./nixos/profiles/core
+            ./hosts/lightsail-tokyo
+          ];
           deployment.targetHost = "tyo0.ny4.dev";
         };
 
         "blacksteel" = {
-          imports = [./hosts/blacksteel];
+          imports = [
+            ./nixos/profiles/core
+            ./hosts/blacksteel
+          ];
           deployment.targetHost = "blacksteel"; # thru tailscale
         };
       };

home/applications/sway/default.nix

@@ -2,7 +2,6 @@
   config,
   pkgs,
   lib,
-  inputs,
   ...
 }: let
   # https://www.pixiv.net/en/artworks/49983419

hosts/aristotle/anti-feature.nix

@@ -8,6 +8,7 @@
         "adoptopenjdk-hotspot-bin"
         "cargo-bootstrap"
         "cef-binary"
+        "dart"
         "osu-lazer-bin"
         "rustc-bootstrap"
         "rustc-bootstrap-wrapper"
@@ -18,14 +19,15 @@
     allowUnfree = false;
     allowUnfreePredicate = pkg:
       builtins.elem (lib.getName pkg) [
+        "fcitx5-pinyin-minecraft"
+        "fcitx5-pinyin-moegirl"
         "libXNVCtrl"
         "nvidia-x11"
         "osu-lazer-bin"
         "steam"
         "steam-original"
+        "steam-run"
         "xow_dongle-firmware"
-        "fcitx5-pinyin-minecraft"
-        "fcitx5-pinyin-moegirl"
       ];
   };
 }

hosts/aristotle/default.nix

@@ -1,26 +1,18 @@
-{
-  pkgs,
-  inputs,
-  ...
-}: {
+{pkgs, ...}: {
   imports = [
-    # OS
-    ../../nixos/profiles/laptop
-    ../../nixos/profiles/common/opt-in/mihomo
-    ../../nixos/profiles/common/opt-in/gaming
+    ../../nixos/profiles/opt-in/mihomo
+    ../../nixos/profiles/opt-in/wireless
 
-    # Hardware
-    ./hardware-configuration.nix
     ./anti-feature.nix
-    ../../nixos/profiles/common/opt-in/lanzaboote.nix
-    ../../nixos/profiles/common/opt-in/impermanence.nix
-    ../../nixos/profiles/common/opt-in/disko.nix
+    ./disko.nix
+    ./graphical
+    ./hardware-configuration.nix
+    ./impermanence.nix
+    ./lanzaboote.nix
   ];
 
-  boot.loader.efi.canTouchEfiVariables = true;
   networking.hostName = "aristotle";
   time.timeZone = "Asia/Shanghai";
-  _module.args.disks = ["/dev/nvme0n1"]; # Disko
   system.stateVersion = "23.11";
 
   services.tailscale = {
@@ -28,45 +20,34 @@
     openFirewall = true;
   };
 
-  # Stuff that I only want on my main machine
-  home-manager.users.guanranwang = {
-    imports = map (n: ../../home/applications/${n}) [
-      "thunderbird"
-      "ydict"
-    ];
-
-    home.packages =
-      (with pkgs; [
-        amberol
-        fractal
-        gnome-calculator
-        hyperfine
-        mousai
-      ])
-      ++ (with inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.scripts; [
-        lofi
-      ]);
-
-    programs.obs-studio.enable = true;
-  };
-
-  # for udev rules
   programs.adb.enable = true;
-
-  # fucking hell
   programs.anime-game-launcher.enable = true;
+  programs.steam.enable = true;
+  services.power-profiles-daemon.enable = true;
 
-  # nouveou
-  services.xserver.videoDrivers = [];
+  # https://wiki.archlinux.org/title/Gamepad#Connect_Xbox_Wireless_Controller_with_Bluetooth
+  hardware.xone.enable = true; # via wired or wireless dongle
+  hardware.xpadneo.enable = true; # via Bluetooth
 
-  # novideo
-  # hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.beta;
-  # environment.sessionVariables."MOZ_ENABLE_WAYLAND" = "0";
-  # networking.networkmanager.enable = false;
-  # services.xserver.desktopManager.gnome.enable = true;
-  # services.xserver.displayManager.gdm.enable = true;
-  # # https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1562
-  # services.udev.extraRules = ''
-  #   ENV{DEVNAME}=="/dev/dri/card1", TAG+="mutter-device-preferred-primary"
-  # '';
+  ### https://wiki.archlinux.org/title/Gaming#Improving_performance
+  systemd.tmpfiles.rules = [
+    "w /proc/sys/vm/min_free_kbytes - - - - 1048576"
+    "w /proc/sys/vm/swappiness - - - - 10"
+    "w /sys/kernel/mm/lru_gen/enabled - - - - 5"
+    "w /proc/sys/vm/zone_reclaim_mode - - - - 0"
+    "w /proc/sys/vm/page_lock_unfairness - - - - 1"
+    "w /proc/sys/kernel/sched_child_runs_first - - - - 0"
+    "w /proc/sys/kernel/sched_autogroup_enabled - - - - 1"
+    "w /proc/sys/kernel/sched_cfs_bandwidth_slice_us - - - - 500"
+    "w /sys/kernel/debug/sched/latency_ns  - - - - 1000000"
+    "w /sys/kernel/debug/sched/migration_cost_ns - - - - 500000"
+    "w /sys/kernel/debug/sched/min_granularity_ns - - - - 500000"
+    "w /sys/kernel/debug/sched/wakeup_granularity_ns  - - - - 0"
+    "w /sys/kernel/debug/sched/nr_migrate - - - - 8"
+  ];
+
+  # yubikey
+  environment.systemPackages = [pkgs.yubikey-manager];
+  services.pcscd.enable = true;
+  services.udev.packages = [pkgs.yubikey-personalization];
 }

hosts/aristotle/disko.nix

@@ -1,4 +1,5 @@
-{disks ? ["/dev/sda"], ...}: let
+let
+  disks = ["/dev/nvme0n1"];
   # compress-force: https://t.me/archlinuxcn_group/3054167
   mountOptions = ["defaults" "compress-force=zstd" "noatime"];
   cryptSettings = {

hosts/aristotle/graphical/default.nix

@@ -1,14 +1,7 @@
-{
-  pkgs,
-  lib,
-  ...
-}: {
+{pkgs, ...}: {
   ### home-manager
   home-manager.users.guanranwang = import ./home;
 
-  # plymouth
-  #boot.plymouth.enable = true;
-
   # xserver
   services.xserver = {
     enable = true;
@@ -21,7 +14,6 @@
 
   # polkit
   security.polkit.enable = true;
-  environment.systemPackages = with pkgs; [polkit_gnome];
   systemd.user.services.polkit-gnome-authentication-agent-1 = {
     description = "polkit-gnome-authentication-agent-1";
     wantedBy = ["graphical-session.target"];
@@ -36,16 +28,13 @@
     };
   };
 
-  ### Options
-  my.boot.noLoaderMenu = lib.mkDefault true;
-
   fonts.enableDefaultPackages = false;
   security.pam.services.swaylock = {};
   xdg.portal = {
     enable = true;
     xdgOpenUsePortal = true;
     wlr.enable = true;
-    extraPortals = with pkgs; [xdg-desktop-portal-gtk];
+    extraPortals = [pkgs.xdg-desktop-portal-gtk];
     # https://gitlab.archlinux.org/archlinux/packaging/packages/sway/-/blob/main/sway-portals.conf
     config."sway" = {
       default = "gtk";
@@ -54,34 +43,25 @@
       "org.freedesktop.impl.portal.Inhibit" = "none";
     };
   };
+
   services = {
     gvfs.enable = true;
     gnome = {
       gnome-keyring.enable = true;
-      sushi.enable = true;
       gnome-online-accounts.enable = true;
+      sushi.enable = true;
     };
   };
-  programs = {
-    kdeconnect = {
-      enable = true;
-      #package = pkgs.gnomeExtensions.gsconnect;
-      package = pkgs.valent;
-    };
-  };
-  services.libinput = {
-    touchpad = {
-      accelProfile = "flat";
-      naturalScrolling = true;
-      middleEmulation = false;
-    };
-    mouse = {
-      accelProfile = "flat";
-      naturalScrolling = true;
-      middleEmulation = false;
-    };
+
+  programs.kdeconnect = {
+    enable = true;
+    package = pkgs.valent;
   };
 
+  environment.systemPackages = [pkgs.localsend];
+  networking.firewall.allowedTCPPorts = [53317];
+  networking.firewall.allowedUDPPorts = [53317];
+
   ### Removes debounce time
   # https://www.reddit.com/r/linux_gaming/comments/ku6gth
   environment.etc."libinput/local-overrides.quirks".text = ''

hosts/aristotle/graphical/home/default.nix

@@ -0,0 +1,65 @@
+{
+  pkgs,
+  inputs,
+  ...
+}: {
+  imports =
+    [
+      ./fonts
+      ./theme.nix
+      ./xdg-mime.nix
+    ]
+    ++ map (n: ../../../../home/applications/${n}) [
+      "fcitx5"
+      "firefox"
+      "foot"
+      "go"
+      "mpv"
+      "nautilus"
+      "nix"
+      "sway"
+      "thunderbird"
+      "ydict"
+    ];
+
+  # https://wiki.archlinux.org/title/Fish#Start_X_at_login
+  programs.fish.loginShellInit = ''
+    if test -z "$DISPLAY" -a "$XDG_VTNR" = 1
+      exec sway
+    end
+  '';
+
+  home.packages =
+    (
+      with pkgs; [
+        amberol
+        dconf-editor
+        file-roller
+        fractal
+        gnome-calculator
+        hyperfine
+        loupe
+        mousai
+        seahorse
+
+        (prismlauncher.override {
+          glfw = glfw-wayland-minecraft;
+          gamemodeSupport = false;
+        })
+        mumble
+        osu-lazer-bin
+      ]
+    )
+    ++ (with inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.scripts; [
+      lofi
+    ]);
+
+  home.sessionVariables = {
+    # https://github.com/ppy/osu-framework/pull/6292
+    "OSU_SDL3" = "1";
+  };
+
+  programs.mangohud.enable = true;
+  programs.obs-studio.enable = true;
+  services.ssh-agent.enable = true;
+}

hosts/aristotle/hardware-configuration.nix

@@ -5,14 +5,41 @@
     inputs.nixos-sensible.nixosModules.zram
   ];
 
-  hardware.nvidia.nvidiaSettings = false;
   services.hdapsd.enable = false;
-  my.hardware = {
-    audio.enable = true;
-    bluetooth.enable = true;
-    tpm.enable = true;
+  services.thermald.enable = true;
+
+  security.rtkit.enable = true;
+  hardware.pulseaudio.enable = false;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    jack.enable = true;
   };
 
+  hardware.bluetooth = {
+    enable = true;
+    settings.General.FastConnectable = true;
+  };
+
+  # nouveou
+  services.xserver.videoDrivers = [];
+
+  # novideo
+  # hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.beta;
+  # hardware.nvidia.nvidiaSettings = false;
+  # environment.sessionVariables."MOZ_ENABLE_WAYLAND" = "0";
+  # networking.networkmanager.enable = false;
+  # services.xserver.desktopManager.gnome.enable = true;
+  # services.xserver.displayManager.gdm.enable = true;
+  # # https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1562
+  # services.udev.extraRules = ''
+  #   ENV{DEVNAME}=="/dev/dri/card1", TAG+="mutter-device-preferred-primary"
+  # '';
+
+  boot.loader.timeout = 0;
+  boot.loader.efi.canTouchEfiVariables = true;
   boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid"];
   boot.kernelModules = ["kvm-intel"];
   nixpkgs.hostPlatform = "x86_64-linux";

hosts/aristotle/lanzaboote.nix

@@ -1,6 +1,5 @@
 {pkgs, ...}: {
-  environment.systemPackages = with pkgs; [sbctl];
-  boot.loader.systemd-boot.enable = false;
+  environment.systemPackages = [pkgs.sbctl];
   boot.lanzaboote = {
     enable = true;
     pkiBundle = "/etc/secureboot";

hosts/blacksteel/anti-feature.nix

@@ -8,13 +8,11 @@
       builtins.elem (lib.getName pkg) [
         "adoptopenjdk-hotspot-bin"
         "cargo-bootstrap"
-        "cef-binary"
         "minecraft-server"
         "rustc-bootstrap"
         "rustc-bootstrap-wrapper"
         "sof-firmware"
         "temurin-bin"
-        "vscodium"
       ];
 
     allowUnfree = false;
@@ -22,7 +20,6 @@
       builtins.elem (lib.getName pkg) [
         "broadcom-sta"
         "minecraft-server"
-        "nvidia-x11"
       ];
   };
 }

hosts/blacksteel/default.nix

@@ -6,11 +6,8 @@
 }: {
   imports = [
     # OS
-    # FIXME:
-    ../../nixos/profiles/common/core
-    ../../nixos/profiles/common/physical
-    ../../nixos/profiles/common/mobile
-    ../../nixos/profiles/common/opt-in/mihomo
+    ../../nixos/profiles/opt-in/mihomo
+    ../../nixos/profiles/opt-in/wireless
 
     # Hardware
     ./hardware-configuration.nix

hosts/blacksteel/hardware-configuration.nix

@@ -14,11 +14,7 @@
     inputs.nixos-sensible.nixosModules.zram
   ];
 
-  my.hardware = {
-    audio.enable = true;
-    bluetooth.enable = true;
-    tpm.enable = true;
-  };
+  services.thermald.enable = true;
 
   boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
   boot.kernelModules = ["kvm-intel" "wl"];

nixos/modules/default.nix

@@ -1,12 +1,5 @@
 {...}: {
   imports = [
-    # utils that is used internally
-    ./my/boot.nix
-    ./my/hardware/audio.nix
-    ./my/hardware/bluetooth.nix
-    ./my/hardware/tpm.nix
-
-    # nixpkgs styled options
     ./services/hysteria.nix
     ./services/pixivfe.nix
     ./services/rathole.nix

nixos/modules/my/boot.nix

@@ -1,29 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}: let
-  cfg = config.my.boot;
-in {
-  options = {
-    my.boot = {
-      silentBoot = lib.mkEnableOption "silent boot";
-      noLoaderMenu = lib.mkEnableOption "" // {description = "Whether to disable bootloader menu.";};
-    };
-  };
-
-  config = {
-    ### cfg.noLoaderMenu
-    boot.loader.timeout = lib.mkIf cfg.noLoaderMenu 0;
-
-    ### cfg.silentBoot
-    boot.consoleLogLevel = lib.mkIf cfg.silentBoot 0;
-    boot.kernelParams =
-      lib.mkIf cfg.silentBoot
-      (["quiet"]
-        ++ lib.optionals config.boot.initrd.systemd.enable [
-          "systemd.show_status=auto"
-          "rd.udev.log_level=3"
-        ]);
-  };
-}

nixos/modules/my/hardware/audio.nix

@@ -1,24 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}: let
-  cfg = config.my.hardware.audio;
-in {
-  options = {
-    my.hardware.audio.enable = lib.mkEnableOption "audio";
-  };
-
-  # https://nixos.wiki/wiki/PipeWire
-  config = lib.mkIf cfg.enable {
-    security.rtkit.enable = true;
-    hardware.pulseaudio.enable = false;
-    services.pipewire = {
-      enable = true;
-      alsa.enable = true;
-      alsa.support32Bit = true;
-      pulse.enable = true;
-      jack.enable = true;
-    };
-  };
-}

nixos/modules/my/hardware/bluetooth.nix

@@ -1,21 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}: let
-  cfg = config.my.hardware.bluetooth;
-in {
-  options = {
-    my.hardware.bluetooth.enable = lib.mkEnableOption "bluetooth";
-  };
-
-  # https://nixos.wiki/wiki/Bluetooth
-  config = lib.mkIf cfg.enable {
-    environment.systemPackages = lib.mkIf config.services.xserver.enable (with pkgs; [blueberry]);
-    hardware.bluetooth = {
-      enable = true;
-      settings.General.FastConnectable = true;
-    };
-  };
-}

nixos/modules/my/hardware/tpm.nix

@@ -1,20 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}: let
-  cfg = config.my.hardware.tpm;
-in {
-  options = {
-    my.hardware.tpm.enable = lib.mkEnableOption "TPM";
-  };
-
-  # https://nixos.wiki/wiki/TPM
-  config = lib.mkIf cfg.enable {
-    security.tpm2 = {
-      enable = true;
-      pkcs11.enable = true;
-      tctiEnvironment.enable = true;
-    };
-  };
-}

nixos/profiles/common/core/hardening/sysctl.nix

@@ -1,50 +0,0 @@
-{
-  boot.kernel.sysctl = {
-    ### https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
-    # Kernel self-protection
-    "kernel.kptr_restrict" = "2";
-    "kernel.dmesg_restrict" = "1";
-    "kernel.printk" = "3 3 3 3"; #
-    "kernel.unprivileged_bpf_disabled" = "1";
-    "net.core.bpf_jit_harden" = "2";
-    "dev.tty.ldisc_autoload" = "0";
-    "vm.unprivileged_userfaultfd" = "0";
-    "kernel.kexec_load_disabled" = "1";
-    "kernel.sysrq" = "4"; #
-    #"kernel.unprivileged_userns_clone" = "0"; # does not exist on nixos
-    "kernel.perf_event_paranoid" = "3";
-
-    # Network
-    "net.ipv4.tcp_syncookies" = "1";
-    "net.ipv4.tcp_rfc1337" = "1";
-    "net.ipv4.conf.all.rp_filter" = "1";
-    "net.ipv4.conf.default.rp_filter" = "1";
-    "net.ipv4.conf.all.accept_redirects" = "0";
-    "net.ipv4.conf.default.accept_redirects" = "0";
-    "net.ipv4.conf.all.secure_redirects" = "0";
-    "net.ipv4.conf.default.secure_redirects" = "0";
-    "net.ipv6.conf.all.accept_redirects" = "0";
-    "net.ipv6.conf.default.accept_redirects" = "0";
-    "net.ipv4.conf.all.send_redirects" = "0";
-    "net.ipv4.conf.default.send_redirects" = "0";
-    "net.ipv4.icmp_echo_ignore_all" = "1";
-    "net.ipv4.conf.all.accept_source_route" = "0";
-    "net.ipv4.conf.default.accept_source_route" = "0";
-    "net.ipv6.conf.all.accept_source_route" = "0";
-    "net.ipv6.conf.default.accept_source_route" = "0";
-    "net.ipv6.conf.all.accept_ra" = "0";
-    "net.ipv6.conf.default.accept_ra" = "0";
-    "net.ipv4.tcp_sack" = "0";
-    "net.ipv4.tcp_dsack" = "0";
-    "net.ipv4.tcp_fack" = "0";
-
-    # User Space
-    "kernel.yama.ptrace_scope" = "2";
-    "vm.mmap_rnd_bits" = "32";
-    "vm.mmap_rnd_compat_bits" = "16";
-    "fs.protected_symlinks" = "1";
-    "fs.protected_hardlinks" = "1";
-    "fs.protected_fifos" = "2";
-    "fs.protected_regular" = "2";
-  };
-}

nixos/profiles/common/core/networking/default.nix

@@ -1,18 +0,0 @@
-{
-  lib,
-  config,
-  ...
-}: {
-  networking.wireless.iwd.enable = lib.mkDefault true;
-  services.resolved.enable = true;
-
-  sops.secrets."wireless/wangxiaobo".path = lib.mkIf config.networking.wireless.iwd.enable "/var/lib/iwd/wangxiaobo.psk";
-  sops.secrets."wireless/OpenWrt".path = lib.mkIf config.networking.wireless.iwd.enable "/var/lib/iwd/OpenWrt.psk";
-
-  ### https://wiki.archlinux.org/title/Sysctl#Improving_performance
-  boot.kernelModules = ["tcp_bbr"];
-  boot.kernel.sysctl = {
-    "net.core.default_qdisc" = "cake";
-    "net.ipv4.tcp_congestion_control" = "bbr";
-  };
-}

nixos/profiles/common/graphical/home/default.nix

@@ -1,37 +0,0 @@
-{pkgs, ...}: {
-  imports =
-    [
-      ./fonts
-      ./theme.nix
-      ./xdg-mime.nix
-    ]
-    ++ map (n: ../../../../../home/applications/${n}) [
-      "fcitx5"
-      "firefox"
-      "foot"
-      "go"
-      "mpv"
-      "nautilus"
-      "nix"
-      "sway"
-    ];
-
-  # https://wiki.archlinux.org/title/Fish#Start_X_at_login
-  programs.fish.loginShellInit = ''
-    if test -z "$DISPLAY" -a "$XDG_VTNR" = 1
-      exec sway
-    end
-  '';
-
-  home.packages = with pkgs; [
-    loupe
-    gnome-calculator
-    seahorse
-    file-roller
-    dconf-editor
-  ];
-
-  services = {
-    ssh-agent.enable = true;
-  };
-}

nixos/profiles/common/minimal/default.nix

@@ -1,5 +0,0 @@
-{modulesPath, ...}: {
-  imports = [
-    (modulesPath + "/profiles/minimal.nix")
-  ];
-}

nixos/profiles/common/mobile/default.nix

@@ -1,3 +0,0 @@
-{
-  home-manager.users.guanranwang = import ./home;
-}

nixos/profiles/common/mobile/home/default.nix

@@ -1,3 +0,0 @@
-{
-  services.batsignal.enable = true;
-}

nixos/profiles/common/opt-in/gaming/default.nix

@@ -1,58 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}: {
-  ### home-manager
-  home-manager.users.guanranwang.imports = [./home];
-
-  ### for steam
-  # https://github.com/NixOS/nixpkgs/issues/47932
-  hardware.opengl.driSupport32Bit = true;
-
-  # https://wiki.archlinux.org/title/Gamepad#Connect_Xbox_Wireless_Controller_with_Bluetooth
-  hardware.xone.enable = true; # via wired or wireless dongle
-  hardware.xpadneo.enable = true; # via Bluetooth
-
-  programs.gamemode = {
-    enable = true;
-    settings.custom = {
-      start = "${lib.getExe pkgs.libnotify} 'GameMode Activated' 'GameMode Activated! Enjoy enhanced performance. 🚀'";
-      end = "${lib.getExe pkgs.libnotify} 'GameMode Deactivated' 'GameMode Deactivated. Back to normal mode. ⏹️'";
-    };
-  };
-
-  # Integrate with NVIDIA Optimus offloading.
-  # https://github.com/FeralInteractive/gamemode#note-for-hybrid-gpu-users
-  environment.sessionVariables = {
-    "GAMEMODERUNEXEC" = let
-      inherit (config.hardware.nvidia.prime) offload;
-    in
-      lib.mkIf
-      (builtins.elem "nvidia" config.services.xserver.videoDrivers && offload.enable && offload.enableOffloadCmd)
-      (lib.mkDefault "nvidia-offload");
-  };
-
-  ### https://wiki.archlinux.org/title/Gaming#Improving_performance
-  systemd.tmpfiles.rules = [
-    #    Path                  Mode UID  GID  Age Argument
-    #"w /proc/sys/vm/compaction_proactiveness - - - - 0"
-    "w /proc/sys/vm/min_free_kbytes - - - - 1048576"
-    "w /proc/sys/vm/swappiness - - - - 10"
-    "w /sys/kernel/mm/lru_gen/enabled - - - - 5"
-    "w /proc/sys/vm/zone_reclaim_mode - - - - 0"
-    #"w /sys/kernel/mm/transparent_hugepage/enabled - - - - never"
-    #"w /sys/kernel/mm/transparent_hugepage/shmem_enabled - - - - never"
-    #"w /sys/kernel/mm/transparent_hugepage/khugepaged/defrag - - - - 0"
-    "w /proc/sys/vm/page_lock_unfairness - - - - 1"
-    "w /proc/sys/kernel/sched_child_runs_first - - - - 0"
-    "w /proc/sys/kernel/sched_autogroup_enabled - - - - 1"
-    "w /proc/sys/kernel/sched_cfs_bandwidth_slice_us - - - - 500"
-    "w /sys/kernel/debug/sched/latency_ns  - - - - 1000000"
-    "w /sys/kernel/debug/sched/migration_cost_ns - - - - 500000"
-    "w /sys/kernel/debug/sched/min_granularity_ns - - - - 500000"
-    "w /sys/kernel/debug/sched/wakeup_granularity_ns  - - - - 0"
-    "w /sys/kernel/debug/sched/nr_migrate - - - - 8"
-  ];
-}

nixos/profiles/common/opt-in/gaming/home/default.nix

@@ -1,15 +0,0 @@
-{pkgs, ...}: {
-  programs.mangohud.enable = true;
-
-  home.packages = with pkgs; [
-    (prismlauncher.override {glfw = glfw-wayland-minecraft;})
-    steam
-    mumble
-    osu-lazer-bin
-  ];
-
-  home.sessionVariables = {
-    # https://github.com/ppy/osu-framework/pull/6292
-    "OSU_SDL3" = "1";
-  };
-}

nixos/profiles/common/physical/default.nix

@@ -1,11 +0,0 @@
-{pkgs, ...}: {
-  networking.stevenblack.enable = true;
-  services.system76-scheduler.enable = true;
-  services.power-profiles-daemon.enable = true;
-  services.thermald.enable = true;
-
-  # YubiKey
-  environment.systemPackages = [pkgs.yubikey-manager];
-  services.pcscd.enable = true;
-  services.udev.packages = [pkgs.yubikey-personalization];
-}

nixos/profiles/core/default.nix

@@ -7,10 +7,10 @@
 }: {
   imports =
     [
-      ./hardening
-      ./networking
       ./nix
       ./fun.nix
+      ./hardening.nix
+      ./networking.nix
     ]
     ++ (with inputs; [
       aagl.nixosModules.default
@@ -29,7 +29,7 @@
   ];
 
   ### home-manager
-  home-manager.users.guanranwang = import ../../../../home;
+  home-manager.users.guanranwang = import ../../../home;
 
   home-manager = {
     useGlobalPkgs = true;
@@ -37,7 +37,7 @@
     extraSpecialArgs = {inherit inputs;}; # ??? isnt specialArgs imported by default ???
   };
 
-  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_zen;
+  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
 
   ### Default Programs
   # In addition of https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/config/system-path.nix
@@ -91,7 +91,7 @@
 
   ### sops-nix
   sops = {
-    defaultSopsFile = ../../../../secrets.yaml;
+    defaultSopsFile = ../../../secrets.yaml;
     age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
     gnupg.sshKeyPaths = [];
     secrets = {

nixos/profiles/core/hardening.nix

@@ -1,15 +1,6 @@
-{...}: {
-  ### Basic hardening
-  # ref: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
-  # ref: https://madaidans-insecurities.github.io/guides/linux-hardening.html
-  imports = [
-    ./sysctl.nix
-  ];
-
+{
   environment.etc.machine-id.text = "b08dfa6083e7567a1921a715000001fb"; # whonix id
-  security.apparmor.enable = true;
-  security.sudo-rs.enable = true;
-  security.sudo-rs.execWheelOnly = true;
+  security.sudo.execWheelOnly = true;
 
   boot.blacklistedKernelModules = [
     # Obscure network protocols

nixos/profiles/core/networking.nix

@@ -0,0 +1,10 @@
+{
+  services.resolved.enable = true;
+
+  ### https://wiki.archlinux.org/title/Sysctl#Improving_performance
+  boot.kernelModules = ["tcp_bbr"];
+  boot.kernel.sysctl = {
+    "net.core.default_qdisc" = "cake";
+    "net.ipv4.tcp_congestion_control" = "bbr";
+  };
+}

nixos/profiles/core/nix/default.nix

@@ -3,6 +3,5 @@
     ./flake.nix
     ./nix.nix
     ./gc.nix
-    #./monitor.nix
   ];
 }

nixos/profiles/desktop/default.nix

@@ -1,7 +0,0 @@
-{...}: {
-  imports = [
-    ../common/core
-    ../common/graphical
-    ../common/physical
-  ];
-}

nixos/profiles/laptop/default.nix

@@ -1,8 +0,0 @@
-{...}: {
-  imports = [
-    ../common/core
-    ../common/graphical
-    ../common/physical
-    ../common/mobile
-  ];
-}

nixos/profiles/opt-in/mihomo/default.nix

@@ -25,7 +25,12 @@
   };
 
   ### sops-nix
-  sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["mihomo.service"];}) {
+  sops.secrets = builtins.mapAttrs (_name: value:
+    value
+    // {
+      restartUnits = ["mihomo.service"];
+      sopsFile = ./secrets.yaml;
+    }) {
     "clash/secret" = {};
     "clash/proxies/lightsail" = {};
     "clash/proxy-providers/efcloud" = {};

nixos/profiles/opt-in/mihomo/secrets.yaml

@@ -0,0 +1,46 @@
+clash:
+    secret: ENC[AES256_GCM,data:0dikpMbntA==,iv:63yclHF0yUJXWr7/RN0RLMFmASD847i6WAplx6sfvGQ=,tag:Y7lw2sn34CEfAmzy/0IugA==,type:str]
+    proxies:
+        lightsail: ENC[AES256_GCM,data:YfyZsBi3yMIAMIjotAk4g4M+yYYozSSbKE77oz3lwbRHCMVJqxeo5nR04HrG8Hy2mQvVV09et1MbgnDMhEaSERZvsfaBojFUoRE6Du18n1ET8P1/ez5aKgC6ZnHy90a99mktqD4QDGNE8VDX2xBtNcVLF6i9dJ9di9tJEtnOdw+Q,iv:/uqtX6E2I0sqSWt2FmKwzG9zQb2TjdQqfDBZQXLh8cs=,tag:ofvc5GKEPrizajUaevI1jA==,type:str]
+    proxy-providers:
+        flyairport: ENC[AES256_GCM,data:x6li/5tWuAX9ZvLVUETLaBDqjB8pb8vSD9jD8HDMXNiiilq03RVHx7eXTiWMVJMlRUBOxvhTXH1fQxzye34aZQMx4BftMOQzvG5soF/P+K5hGapC9wbFnoH8znHkAdIgRLIeDBHRix3ll2OqGhqCENkWF4jjs/Pxqfz5bJlhcA==,iv:lO59riu5seloBRIy8QG02afNciEKvElzovLyaX90iSA=,tag:/L+elOLB2agQdRvg9tR0WQ==,type:str]
+        efcloud: ENC[AES256_GCM,data:36mToXGiHVAgM4vVQFOYvNPaHHuVf4mtvnNOgMBTyzbZ/mKpT1Exx7rWZ7i9EVBy5eX7SJtKmnHs0CqD48hr7R708W2oW3YNPEfkK7aGDqfQFyS1TVjT+MM=,iv:+qiFyM10fcAjcdyVZCC+0hb83GYENooM52+1GPXpamQ=,tag:wZupiFJMQq8A5ZwJtjXiOg==,type:str]
+        spcloud: ENC[AES256_GCM,data:gmJM+sTTaUrIxQXRBlDtE+K1gEfseMPUC2AQLq1LeY6iQmgq3wK7oJlz+buLbm/LUDitvls9d517905hz/Mpp2F7ohBeW9m1Jkcvdh/Zfgnfqg==,iv:FPe//+/ZMDZloZg2AnQ7JXRzqZdKDjLYs3wqMxqNA/Y=,tag:JPEU/WnUfy8bNlhAgPQwJw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaXJJdVlKb0lpa3pkZ0px
+            UGwveFAydHBUMzdXOU5ibHRBNmg1VllUVWxBCkh5SWQrQUhFSFA2NHA2WWhhYXhV
+            bFlteVVCM1M1VlRoakZ1UW1ENmJWM3cKLS0tIDdpZVo0Z2dQQ29DVnVOQU5kWkMy
+            N2djZElOQUtINXY5bGJKZFROK1VpZWcKMQY/1i3yvoKhDUdkmvQ0boVHzh9vta1Z
+            hz9WY8aYIMsa0PY71FuBMklOfNtaPKbewx9XXfLDetFLQ7tmWnIzFg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hm6pkvt4d640wmjhxg5wxfwkp9zhcqre9klr4zg5kx2qx7vyhuuqlytmnp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVzFrcWdBNlYvdWRzNVNr
+            T3YyQ3JBakRQcnd2MzMyNnN4Z3h0TkN3S1NvCmdCZnFaeVdFcCtoVzh6OGRnd2o3
+            cVpxTCtpV1RYRjloUElLek9NcDlrMWsKLS0tIEdtZWVNUXY4VDAzSUxkUGhodjlJ
+            UHFlbi9JYTBVYWIyOGZ6SnBZcWo4K1kK9TkNUwrKIywSaXoExUaBb3y4L5Gg+2CT
+            0eI/CUL8LuYSSGeGRtypMPklHUQS4qV3UmXbnNSKctdLrNcDRperXg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MHd3Qjl1ODJzVWlwN3VB
+            L3ZFdVBPbmRzQUJBbWdiRUtqVzJYeVlHdkZJCit4YzExQ1UweXcrRkpVMEVKQlB3
+            NGt0VHE1alFvSkJGKzU5ZzM5akFwUG8KLS0tIGdvNS9ZYWU4TXM2Y1hVbjl2Z3cy
+            QStSb1FJb0xUUkV5cjg1Qk5ORDRQMzQKiTUdlCbgRX0zRPURsolB4O0dvxl9+lkn
+            0cIBYnVxzSdlDj+TXnTR2zL2cqZg94cNaTz0qWk/kmkmgmqm80hZ7Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-07-09T22:04:17Z"
+    mac: ENC[AES256_GCM,data:iKwYqxBllI8SydCUjyK2cJkcUKVj4CqjmfDSMNJtLwM6IWUoOScV4Pu0YJz0aui5F8nbyC92vdDwsE599GZMTWdCH20MeWEMo7pbkPFxxL1bY5BMCNNE3Tm354nz4ihmBXMB9aI1JRiSareV5yQ1v6lOxzDargDigMrPI/6DRfo=,iv:JRvJQ3YdFZsBstT55xKcCMGJODy42FImugHbwEbpV2I=,tag:go33lpTdouZoFk53g9FXTw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

nixos/profiles/opt-in/wireless/default.nix

@@ -0,0 +1,8 @@
+{lib, ...}: {
+  sops.secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
+    "wireless/wangxiaobo".path = "/var/lib/iwd/wangxiaobo.psk";
+    "wireless/OpenWrt".path = "/var/lib/iwd/OpenWrt.psk";
+  };
+
+  networking.wireless.iwd.enable = lib.mkDefault true;
+}

nixos/profiles/opt-in/wireless/secrets.yaml

@@ -0,0 +1,41 @@
+wireless:
+    wangxiaobo: ENC[AES256_GCM,data:D9m+JRZ2Tw1a4mukW+WU3QLYIRiTiRkGz1ddD7zvkctbuYg+BZXtRgDR0FOIn586t0DsgA1wBDEN/WWiLRTrArgWTHiv7OsOa1NI7+BuL1cFb1TNbk04zbtc6cCOpDBH8qivx0jdZIqrJ5JzIaeZ9T78tj1jMmp3pyt3RiEcZLqxjnPiJhJVaZ8iUNDTvuX3DpsmqybYiLO+Hz7qvIHwM1euc/vyraZ2SR/y5DjTjwVK1jiAs3glPy2oYayVhv+RPs/AHVDnslbtPxGrPhRXxZT3t9LnBw+I0VgrdKUl39ym38PurGnVoBJ7EUVWl3SUPQjnDfQI/XQiDyI3DZ8uA5MGwlR9mny5N/ojs+q7J/k4YiSThCasA5tA24SNRZQWI9lFevoortU+is9FTTGkfzgrrcuURDs6E3ShbbHgn4tvHPhB87J1mP9D7UMIFFfVyvqp5fRgBMHcrEA8xln2xvvQdRDDj/JJYIj3ex8PpTqvAi1EwnAFWhBgqIchcHRFcfQRWOsR7h8M1UQpnge85UZfePMropq5zJ3TSF4AKa2A4UqhgkvLm8qrMI1lvsEnH4TMoyV5Z59T4sPd4Eb3FV26wey6DTdw6cCuywh0AQ==,iv:nbD9EcQYaAf4XwvTLKRy+IjTkV7aHsHK+gBD/Ooc/l8=,tag:VHD3X0ONH4YTp/BTcnpLDQ==,type:str]
+    OpenWrt: ENC[AES256_GCM,data:KaRLfzoXPTyAscYjJ9mpMAKtsP29PjNvm1G89ne/7N3MtgO9/GfO2JHrmeU2KZBLCJEllovbw82TFsfG7q0ID0sGTVHEZ52yQdOD5wUiuKaiCoN4jaSsU/VsOfOF7ZGt9lWjl+JrGLLWfqAfvN6Jy85jb8XnaOT4jxqjHtTcMDU/ZkL3IJPdTB1RwuIua/UYFYW96kyOyKh5CKloFV9yZTdAmvI3f5Wjm7f7yHMchRI/G0Jk5QLCLSWeXyD2o2iy+vU2a9/0X3hNgoHhzEsB96PHLjtOdSDvWLl598aHelzqKP7GOy71KMTM7cW5i7eyWLNe7+4f3wTl1JQPIGx8T+/Y1G1T+BGWzhWxLHC5V1JQcSHysDfO7Q2ITdQC9jScNKROFlphvinMqItrBWDgWz/ESHViCVqW3qeCqDFFTMhKTTfBnwaOhSb+M99Rd+nCzmyLQrDgq/CSHzXhVtkQJV5MugZ1+wCUl59ylxroFsIS9csy2uRWGiWQh5Q59zc6kUbjPKDx53b2DXC8WuGhgD4XgT1fkSN2SOXxYiyPullF9T9ljCX4Qny9AQ3X6tvk+2MviKS40vlevdFLS4xFkf3BxzP+oAyB+X+py7kpD+RoH+jrSEC3lBPNwPd65J4TSDa4ZpFJeNX7Us7R6bIc8kesW+IWu9+vZjcD0Gji1xbQ5FtL/5YzdrO7hzEWVQbkl6kuRtvZ1AwWjeM+nT34RWal7XcdcFzeV0NPwNQ=,iv:IbLwzWe6vis4hH/4T5tzaVJflYFXZFjSlzYeBAqcaZs=,tag:WTYuVWCsrzSvNrCuGaXsRA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtSktSV1ByUnF2TGJaMzh3
+            a3RoaHptWHF1MjdsUFc5R2pySEFYa1IzQVE0CjZoUkVhaktldDJvL2dmRjdGa1B5
+            MEtoUHpoaENNUVRtS3B4aXJQMHNCT2sKLS0tIGd5dEt0RWpkd3ZPVGkvM1JWWUdh
+            ZDBtRFJTMlZmUmtlNVc3ZW5oa3V0WGsKcqjqj+oPnGxAzeWpPYSpBBfS9GhN+O4/
+            Mt9NT1LWfiUDhxz5GYmcLKe1tRNXpGeG02HcY65WgcVd1Y7n4mMJRA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1hm6pkvt4d640wmjhxg5wxfwkp9zhcqre9klr4zg5kx2qx7vyhuuqlytmnp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZnRDOHZ1MWViV0dhS3JO
+            dmY2N2lyVHUxNmZnMStpcFMwbzMyZXBaaEJZCjZqWk0rOEdnMVNLTVRHMDNzUm5u
+            OFZTV2ZGTFQ5QlQrM3gzNUhQQ2xXMkEKLS0tIGUzeTEwZmYxekQ0cTJrU2Vhb3Zp
+            M2FjUFFrREphODFQUm1kRlJNOGRpTTQKF7k5/oPjoILtFEf2sO6nnF0Ar6ebTN3r
+            TdXYtTek0sIlSdYfVSxLmhiymz2mKi7TKPcKH6POmp0uuVX8HFEAJg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eWIvamwrRGthdzlYRmJm
+            SjNQTG92TzlvckJCMTM3SytHdUVodVJFYkVJCmRLSjg5TGF4RkZ1WitRNVVrSlNT
+            ZnQ5TnRPTGI5Uk1vaWpvMWh2NHR4NmsKLS0tIFRtbm5Kemo1WVMyMFZ3SDAwdDBn
+            dEN1cEJFZU82bVFRVlVqcTIzckRHQjgKHgRyq4UOcZyiFnK9fq1NLtxRktFCs3V8
+            EQhl+CPWTRZTZkttJ5MclGlvTNbiH3Iy9syKns6qvOw75wqtXIdIWQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-07-09T22:04:02Z"
+    mac: ENC[AES256_GCM,data:m3EXpaGra4uT0m2w9B8D6p03PBXeYWn4AiStPtdN15/JwvTRsJvYeOE4CirZvDT3nq7ne/8j/62Z7sCkb7t8W48MfjrnvAYRFJvKT2hSmJnzqXH6446Srel88BfVmiMdcts4OvAea3Dg4oTMMIn5d2L+rIT8zuPY208tqo4vCPY=,iv:LI5WRb46DZLSL9rndXDo/xzDzXUArRANBqrEx8bmGIc=,tag:2K3vKFmb88Zjru1miwR7Dw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.0

nixos/profiles/server/default.nix

@@ -1,14 +1,5 @@
-{
-  pkgs,
-  inputs,
-  ...
-}: {
+{inputs, ...}: {
   imports = [
-    ../common/core
-    # ../common/minimal
     inputs.srvos.nixosModules.mixins-terminfo
   ];
-
-  boot.kernelPackages = pkgs.linuxPackages;
-  networking.wireless.iwd.enable = false;
 }

secrets.yaml

@@ -1,16 +1,5 @@
 hashed-passwd: ENC[AES256_GCM,data:KPOh1bYW2eruBI7Z9OKqqRmoXAxQ/k5sghAmHDFyUeJTNavelU9hcGfBq69KSU+MeFVfRmwHZncZYyiDkF4hFI2YFgFY0M2jzA==,iv:h7XtrT/4/T1b4SPGx10w5g84DMCA/FE3mjinwcLn0tI=,tag:jS8XnwEdEH2QYkNJVRwkcA==,type:str]
 nix-access-tokens: ENC[AES256_GCM,data:lUeCDT0r1AnTFG4s8eLxSlGRVQAJ4eyXVW80pkgAL5aVrG86+G7NOLVfQYUxthLBRFFXnGA2rQD4h4c2VWknd0YDFdS+me8RBbN2mqJm6YqEYdMEW2Lgv9iSz/zXuDT9FFdDWRdv71lTTwyP2Gie4Y8UkBrAV3ue,iv:HyDyQ5H2nDzi4nIUKoelOrzF4K3sIMlB5HoQR9EMc0s=,tag:vgn2TtQRE8Qd+/zjlOSuAw==,type:str]
-wireless:
-    wangxiaobo: ENC[AES256_GCM,data:Lz1gAdJn2aBn/TdcQRjErSrIAJHlq0mT9qsE72ocEMxNqx6TW6dJkbRfKZ6IDe/a2HNP3zUpX3MjjRbCepBkZIHmsg1SwkGfA7wWysQOxXRXYCoqWH+NbP4xm6r0QV5RGTmXU+bnKubrrJZ8Z2M2n5LDp3bf16XL22Wjsyakju4z36d1K7NPBUoCIHoVKJaLam29rWDyIaBOfZbzG+M5reGLt1hVPDWWYGjnB4xC4lqQE5bpyKrVtoU+XATCWIIx3ZZWqJsf3TVzEDvu1aCb127PMCP2lqI55Hf94RgsZPWWgoLrAhaI8t067hAWPOfdfZEEGetO4BjzJwRyCNQAvqx+YLe0RJOz3lriUP3ie1mYmft4AyhV8JUmVZhEsJ7peATt+ds11BUuGw2SU9cKSa2NHM/K7e1x23Kofl1qrFF+ylr1Sy8OCZhfBozdFnPDzcYsuApe0xvMYCt4fsHFjB/kGtIG7rdGapJnvgAwhewd3dTtg4mAKPgvYr4FdWgDSr7GqrDdgqT2W8nbtJ5oQQnYmDnX+0tfLcF15EgvEN9mLIpsdNfVX3eOp1e/Z6fsbdMtpyNuMRwNDAi9V1tsYTDM/+U9xvZK3DWNX6XTYQ==,iv:nq2Hj7aY+M8QJoA08oyvg55UuxJdnoGTT2KQNu3B8Z8=,tag:sYV4ZE2evYb3U4JRPCJT3Q==,type:str]
-    OpenWrt: ENC[AES256_GCM,data:tlZJExED1Brv4/hOJjbgEbyLMQZVfNhl/5ux94IDM5jSL2lEBYy74qf4VVn2SKMYUuu7bjV7UlnwrD/jzDRuO/gWfkeuoZ5uh3pX0s2wv5E2Z7nJjkYtVn0XDlr8m/4Y6R14ahSIqKJKY4LAAeuQo0t7jEeYv4E3kuyhXUNE5jjrdD9mW+ObS1WV/DpBqUZc3dJe+88EVzgVa5F/L+VWQ3Klz5TduQzqfOyjjoNe+z8gwODzHczfPZCdplfo4PbrMWV8FlyUdJUX37nkZiEkyUpPuksZHb5OPAtx9fCh/KF5y/txS9oZTwOkiE4LBQBpj2NcLMQGOEdtRYLzJekyaOGChrtD+mFfL9LBuLwQLAzHLUI4oZ3PUgu3zXYevtmyrSSwlK/2iama71swmNu+qYws+WkjMVyF4MB/KCtMJULbZW9XJp7tw7cfSzek0RMizlk3MgrEyF2w3J9vx6Q4OHPSE48kgK2Kw0kg93wl9uO6kCRq0QiTJ6lZHopsWyWHTcs1,iv:kvBRYkhFAmDCSdU5Nkc66VblbjQfWHp7ls8x0d46ueA=,tag:Y/oa7vgoI/VsZ+OyJUjZ/g==,type:str]
-clash:
-    secret: ENC[AES256_GCM,data:eCq/pDlSOw==,iv:QGNKxqmkj9BWFBJGj/O4fUL8Ey8zGEHMsWX02DrM82U=,tag:z2vVCBSt6mw47ca2xoxg9A==,type:str]
-    proxies:
-        lightsail: ENC[AES256_GCM,data:o84OgvKdogV8EmeyRLu/gexre5QY8kaf2txXTi2Id2Ya+cWJ08WBiNGYdLKGVKSr1bflbeTirTnUgBJ7ozAw3seWDxOuFRrdvy2jZx+x8doOVwP3FsKQUeCJd4yr4M7FuA3lA0dvBpAX/W5nvz82F15x4o6AYKx0AOTh+QbVTdX4,iv:ojvL+sSORq2DYHdVDUCvN1nCt44Th7SM++I1ZRB9KyQ=,tag:z+er0P7gHa+rn4MiMyJnmg==,type:str]
-    proxy-providers:
-        flyairport: ENC[AES256_GCM,data:akHdU/2o8D65sG2b/mcj76HASwhg3WvoEcrpgkXPyh7kuc+Ci42hmmmmBk9I29vuvZjTtCTs8mMzaLK1wm8TS/K1A1zeAGULxSsqhpV4cA19Q4vAtQ2+FyuGiaFszuaHK6BSlZAosfmCGoM1nZRYuOnsdeR0vnHBIHhJFNhaLw==,iv:VeVT3cEaOO/90gcqpm2yOacThbEyaXuBRhp4buX/XOY=,tag:kojJbqwYk/DNFBcJMY2eXg==,type:str]
-        efcloud: ENC[AES256_GCM,data:GvKNMscPknhlBy9Qp8iuYoxF10oX2ZIOKo+XKRH2NOGGDiMk/GwdGfA5+gf3ZcEEGFGw/8CrBddjJCivyxqwF+oAEHJyjdcFhGyyOopsx9s3waq8Hge/KzE=,iv:WXAd3yA5cTZp+ttKHXPf6cbsk6pRXq5/xMysNUAs1Rk=,tag:HygexRSW8ICa+RIFmrRKRQ==,type:str]
-        spcloud: ENC[AES256_GCM,data:Uz0SLmSxzV/hcsBuYtlsZ5G5E8wjzmHcFMGCyBrEewOr6gAdBQvC4njotYbMIdQAQRTgAE2wBukdSxXWCTrNph7uoVhskz1YkNjxnQVPUO5WfQ==,iv:TwHPdeATx+LanfhHeD7M5sSf3M2NLBWBAAaFTwgsK7A=,tag:9DMgcSoy4ksYl/dPWwA+dA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -53,8 +42,8 @@ sops:
             SC9YMFk4dUNOUDJYMXErck8yTmJmZmcKp66bHZTD6VitAOfzIr8VJr02+R9f5mxH
             c5n2CWurDsZsNTKk7pgxQo78ySyAG3rzvOqgK0NFesyHy9dRl8xHCQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-01T09:25:25Z"
-    mac: ENC[AES256_GCM,data:rQ0ZRb1Js05XWfrXSGjdJd8g3heaAmNHyRoPxmvZe36a1DXFi3eCKvBs8JjOFdtAp9XCJ9OYjzDsCpBvUSfuApjmBoMZUVqjrf88sAxT7j/4e1tdkBZto0ReondIxwt7hTEcNpuawdouPk+yehTqmw3Nyovnd/mztw/I9zhHPuk=,iv:EXvTgLqRp2JZtpiEcSW4XyQdKZ+aSoKKPgx6q8BFkhY=,tag:gbPiWetjaFm+mEmjsl9kww==,type:str]
+    lastmodified: "2024-07-09T22:04:25Z"
+    mac: ENC[AES256_GCM,data:d8ml8uokaSlD/nJQVM732OoEXZB0a7dpq5Koq1/Nz8iW9xDmwvrWONRmI6EPHMHJ+vFXKS09iLBtaWRo83H1KPIEfN6slVY8wrVYychz38A/jXx3TWd1oh00otJpkmjzWfEbhYYB6K0D2lTP/rfu009b29OzBNbqcIfVrJRz4vQ=,iv:/PBfFIf+SZ4zmRdOba8NKV29JRWHzCGwK5Oo2EGq/90=,tag:5eHt2FPi+5uSNEd3GlFkcQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0

treefmt.nix

@@ -23,8 +23,10 @@
   ### misc
   programs.prettier.enable = true;
   settings.formatter.prettier.excludes = [
-    "secrets.yaml"
     "hosts/blacksteel/secrets.yaml"
     "hosts/lightsail-tokyo/secrets.yaml"
+    "nixos/profiles/opt-in/mihomo/secrets.yaml"
+    "nixos/profiles/opt-in/wireless/secrets.yaml"
+    "secrets.yaml"
   ];
 }