31 changed files with 521 additions and 548 deletions
--- a/flake.lock
+++ b/flake.lock
@ -7,11 +7,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1722960479,
+        "lastModified": 1721842668,
-        "narHash": "sha256-NhCkJJQhD5GUib8zN9JrmYGMwt4lCRp6ZVNzIiYCl0Y=",
+        "narHash": "sha256-k3oiD2z2AAwBFLa4+xfU+7G5fisRXfkvrMTCJrjZzXo=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "4c6c77920b8d44cd6660c1621dea6b3fc4b4c4f4",
+        "rev": "529c1a0b1f29f0d78fa3086b8f6a134c71ef3aaf",
        "type": "github"
      },
      "original": {
@ -27,11 +27,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1723080788,
+        "lastModified": 1722476845,
-        "narHash": "sha256-C5LbM5VMdcolt9zHeLQ0bYMRjUL+N+AL5pK7/tVTdes=",
+        "narHash": "sha256-7gZ8uf3qOox8Vrwd+p9EhUHHLhhK8lis/5KcXGmIaow=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "ffc1f95f6c28e1c6d1e587b51a2147027a3e45ed",
+        "rev": "7e1b215a0a96efb306ad6440bf706d2b307dc267",
        "type": "github"
      },
      "original": {
@ -122,11 +122,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1723015306,
+        "lastModified": 1722630065,
-        "narHash": "sha256-jQnFEtH20/OsDPpx71ntZzGdRlpXhUENSQCGTjn//NA=",
+        "narHash": "sha256-QfM/9BMRkCmgWzrPDK+KbgJOUlSJnfX4OvsUupEUZvA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "b3d5ea65d88d67d4ec578ed11d4d2d51e3de525e",
+        "rev": "afc892db74d65042031a093adb6010c4c3378422",
        "type": "github"
      },
      "original": {
@ -221,11 +221,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1722924007,
+        "lastModified": 1722609272,
-        "narHash": "sha256-+CQDamNwqO33REJLft8c26NbUi2Td083hq6SvAm2xkU=",
+        "narHash": "sha256-Kkb+ULEHVmk07AX+OhwyofFxBDpw+2WvsXguUS2m6e4=",
        "owner": "LnL7",
        "repo": "nix-darwin",
-        "rev": "91010a5613ffd7ee23ee9263213157a1c422b705",
+        "rev": "f7142b8024d6b70c66fd646e1d099d3aa5bfec49",
        "type": "github"
      },
      "original": {
@ -236,11 +236,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1723310128,
+        "lastModified": 1722332872,
-        "narHash": "sha256-IiH8jG6PpR4h9TxSGMYh+2/gQiJW9MwehFvheSb5rPc=",
+        "narHash": "sha256-2xLM4sc5QBfi0U/AANJAW21Bj4ZX479MHPMPkB+eKBU=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "c54cf53e022b0b3c1d3b8207aa0f9b194c24f0cf",
+        "rev": "14c333162ba53c02853add87a0000cbd7aa230c2",
        "type": "github"
      },
      "original": {
@ -251,11 +251,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1723316219,
+        "lastModified": 1722589669,
-        "narHash": "sha256-2B9qh8QBvw3kV/8cHc7ZJcrbVsRwP8wKjkwPXTSz76Y=",
+        "narHash": "sha256-rxDnGBZK+Sp3df20nCCRrtQzRrJKxY7KtcYNPo5yfg8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "bef98989a27429e1cb9e3d9c25701ba2da742af2",
+        "rev": "42015a129a2ae1cd43a44490e8235d2b24c8a2e2",
        "type": "github"
      },
      "original": {
@ -281,11 +281,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1723202784,
+        "lastModified": 1721042469,
-        "narHash": "sha256-qbhjc/NEGaDbyy0ucycubq4N3//gDFFH3DOmp1D3u1Q=",
+        "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "c7012d0c18567c889b948781bc74a501e92275d1",
+        "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
        "type": "github"
      },
      "original": {
@ -323,11 +323,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1723343015,
+        "lastModified": 1722651535,
-        "narHash": "sha256-oS8Qhpo71B/6OOsuVBFJbems7RKD/5e3TN2AdXhwMjg=",
+        "narHash": "sha256-2uRmNwxe3CO5h7PfvqXrRe8OplXaEdwhqOUtaF13rpU=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "ed4fe9af3814694d59c572649e881a6aa6eba533",
+        "rev": "56d83ca6f3c557647476f3720426a7615c22b860",
        "type": "github"
      },
      "original": {
@ -346,11 +346,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1722897572,
+        "lastModified": 1722114803,
-        "narHash": "sha256-3m/iyyjCdRBF8xyehf59QlckIcmShyTesymSb+N4Ap4=",
+        "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "8ae477955dfd9cbf5fa4eb82a8db8ddbb94e79d9",
+        "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab",
        "type": "github"
      },
      "original": {
@ -381,11 +381,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1723303070,
+        "lastModified": 1722330636,
-        "narHash": "sha256-krGNVA30yptyRonohQ+i9cnK+CfCpedg6z3qzqVJcTs=",
+        "narHash": "sha256-uru7JzOa33YlSRwf9sfXpJG+UAV+bnBEYMjrzKrQZFw=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "14c092e0326de759e16b37535161b3cb9770cea3",
+        "rev": "768acdb06968e53aa1ee8de207fd955335c754b7",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -104,7 +104,9 @@
      ### nix develop
      devShells.default = pkgs.mkShell {
        packages = with pkgs; [
          alejandra
          colmena
          git
          sops
        ];
      };
@ -133,6 +135,7 @@
      ### NixOS
      nixosConfigurations = {
        "blacksteel" = mkNixOS "x86_64-linux" [./hosts/blacksteel];
        "dust" = mkNixOS "x86_64-linux" [./hosts/dust];
      };
@ -154,8 +157,8 @@
          ./nixos/profiles/core
        ];
-        "tyo0" = {
+        "lightsail-tokyo" = {
-          imports = [./hosts/tyo0];
+          imports = [./hosts/lightsail-tokyo];
          deployment.targetHost = "tyo0.ny4.dev";
        };
--- a/hosts/blacksteel/Caddyfile
+++ b/hosts/blacksteel/Caddyfile
@ -2,7 +2,7 @@
 	encode zstd gzip
 	handle_path /robots.txt {
 		file_server * {
-			root @robots@
+			root /var/www/robots/robots.txt
 		}
 	}
 }
--- a/hosts/blacksteel/default.nix
+++ b/hosts/blacksteel/default.nix
@ -1,35 +1,28 @@
 {
  pkgs,
  lib,
  config,
  pkgs,
  ...
 }: {
  imports = [
    # OS
    ../../nixos/profiles/server
    ../../nixos/profiles/opt-in/mihomo
    ../../nixos/profiles/opt-in/wireless
    # Hardware
    ./hardware-configuration.nix
    ./anti-feature.nix
    # Services
    ./services/samba.nix
    ./services/matrix.nix
    ./services/mastodon.nix
    ./services/minecraft.nix
    ./services/jellyfin.nix
  ];
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.systemd-boot.enable = true;
  networking.hostName = "blacksteel";
  time.timeZone = "Asia/Shanghai";
-  system.stateVersion = "24.05";
+  system.stateVersion = "23.11";
  ######## Secrets
-  sops.secrets = lib.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
+  sops = {
    secrets = lib.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
      "synapse/secret" = {
        restartUnits = ["matrix-synapse.service"];
        owner = config.systemd.services.matrix-synapse.serviceConfig.User;
@ -49,6 +42,10 @@
        owner = config.systemd.services."cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41".serviceConfig.User;
      };
    };
  };
  ######## Services
  environment.systemPackages = with pkgs; [qbittorrent-nox];
  services.tailscale = {
    enable = true;
@ -74,7 +71,6 @@
    enable = true;
    configFile = pkgs.substituteAll {
      src = ./Caddyfile;
      robots = toString ../tyo0/robots.txt;
      inherit (pkgs) mastodon;
    };
  };
@ -83,10 +79,25 @@
    SupplementaryGroups = ["mastodon" "matrix-synapse"];
  };
  systemd.tmpfiles.settings = {
    "10-www" = {
      "/var/www/robots/robots.txt".C.argument = toString ../lightsail-tokyo/robots.txt;
    };
  };
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_16;
    settings = {
      # Generated by pgTune
      # https://pgtune.leopard.in.ua/#/
      #
      # DB Version: 15
      # OS Type: linux
      # DB Type: web
      # Total Memory (RAM): 16 GB
      # CPUs num: 8
      # Data Storage: ssd
      max_connections = 200;
      shared_buffers = "4GB";
      effective_cache_size = "12GB";
@ -94,7 +105,7 @@
      checkpoint_completion_target = 0.9;
      wal_buffers = "16MB";
      default_statistics_target = 100;
-      random_page_cost = 1.1;
+      random_page_cost = "1.1";
      effective_io_concurrency = 200;
      work_mem = "5242kB";
      huge_pages = "off";
@ -120,4 +131,180 @@
    compression = "zstd";
    startAt = "weekly";
  };
  services.minecraft-server = {
    enable = true;
    eula = true;
    openFirewall = true;
    package = pkgs.minecraftServers.vanilla-1-21;
    # Aikar's flag
    # https://aikar.co/2018/07/02/tuning-the-jvm-g1gc-garbage-collector-flags-for-minecraft/
    # https://docs.papermc.io/paper/aikars-flags
    jvmOpts = lib.concatStringsSep " " [
      "-Xms2G"
      "-Xmx2G"
      "-XX:+UseG1GC"
      "-XX:+ParallelRefProcEnabled"
      "-XX:MaxGCPauseMillis=200"
      "-XX:+UnlockExperimentalVMOptions"
      "-XX:+DisableExplicitGC"
      "-XX:+AlwaysPreTouch"
      "-XX:G1NewSizePercent=30"
      "-XX:G1MaxNewSizePercent=40"
      "-XX:G1HeapRegionSize=8M"
      "-XX:G1ReservePercent=20"
      "-XX:G1HeapWastePercent=5"
      "-XX:G1MixedGCCountTarget=4"
      "-XX:InitiatingHeapOccupancyPercent=15"
      "-XX:G1MixedGCLiveThresholdPercent=90"
      "-XX:G1RSetUpdatingPauseTimePercent=5"
      "-XX:SurvivorRatio=32"
      "-XX:+PerfDisableSharedMem"
      "-XX:MaxTenuringThreshold=1"
      "-Dusing.aikars.flags=https://mcflags.emc.gs"
      "-Daikars.new.flags=true"
    ];
    declarative = true;
    serverProperties = {
      motd = "NixOS Minecraft server!";
      white-list = true;
      difficulty = 3;
      gamemode = 0;
      max-players = 5;
    };
    whitelist = {
      "Guanran928" = "86dbb6c5-8d8b-4c45-b8eb-b3fdf03bfb27";
      "i_love_ravens" = "2788dd4b-b010-4a2f-9b5c-aad0c0e0cba5";
    };
  };
  services.samba = {
    enable = true;
    openFirewall = true;
    shares = {
      "share" = {
        path = "/srv/samba/share";
        "read only" = "no";
      };
      "external" = {
        path = "/mnt";
        "read only" = "no";
      };
    };
  };
  services.samba-wsdd = {
    enable = true;
    openFirewall = true;
  };
  systemd.tmpfiles.rules = [
    "d /srv/samba/share 0755 guanranwang root"
  ];
  services.matrix-synapse = {
    enable = true;
    withJemalloc = true;
    enableRegistrationScript = false;
    extraConfigFiles = [config.sops.secrets."synapse/secret".path];
    settings = {
      server_name = "ny4.dev";
      public_baseurl = "https://matrix.ny4.dev";
      presence.enabled = false; # tradeoff
      listeners = [
        {
          path = "/run/matrix-synapse/synapse.sock";
          type = "http";
          resources = [
            {
              names = ["client" "federation"];
              compress = true;
            }
          ];
        }
      ];
      # https://element-hq.github.io/synapse/latest/openid.html#keycloak
      oidc_providers = [
        {
          idp_id = "keycloak";
          idp_name = "id.ny4.dev";
          issuer = "https://id.ny4.dev/realms/ny4";
          client_id = "synapse";
          client_secret_path = config.sops.secrets."synapse/oidc".path;
          scopes = ["openid" "profile"];
          user_mapping_provider.config = {
            localpart_template = "{{ user.preferred_username }}";
            display_name_template = "{{ user.name }}";
          };
          backchannel_logout_enabled = true;
          allow_existing_users = true;
        }
      ];
    };
  };
  systemd.services.matrix-synapse = {
    environment = config.networking.proxy.envVars;
    serviceConfig.RuntimeDirectory = ["matrix-synapse"];
  };
  services.matrix-sliding-sync = {
    enable = true;
    environmentFile = config.sops.secrets."syncv3/environment".path;
    settings = {
      SYNCV3_SERVER = "/run/matrix-synapse/synapse.sock";
      SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock";
    };
  };
  systemd.services.matrix-sliding-sync.serviceConfig = {
    RuntimeDirectory = ["matrix-sliding-sync"];
    SupplementaryGroups = ["matrix-synapse"];
  };
  services.mastodon = {
    enable = true;
    localDomain = "ny4.dev";
    streamingProcesses = 1;
    mediaAutoRemove.olderThanDays = 14;
    # FIXME: this doesn't exist
    smtp = {
      createLocally = false;
      fromAddress = "mastodon@ny4.dev";
    };
    extraConfig = rec {
      SINGLE_USER_MODE = "true";
      WEB_DOMAIN = "mastodon.ny4.dev";
      # keycloak
      OMNIAUTH_ONLY = "true";
      OIDC_ENABLED = "true";
      OIDC_CLIENT_ID = "mastodon";
      # OIDC_CLIENT_SECRET # EnvironmentFile
      OIDC_DISCOVERY = "true";
      OIDC_DISPLAY_NAME = "id.ny4.dev";
      OIDC_ISSUER = "https://id.ny4.dev/realms/ny4";
      OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback";
      OIDC_SCOPE = "openid,profile,email";
      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
      OIDC_UID_FIELD = "preferred_username";
    };
  };
  systemd.services.mastodon-web = {
    environment = config.networking.proxy.envVars;
    serviceConfig.EnvironmentFile = [config.sops.secrets."mastodon/environment".path];
  };
  systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars;
  services.jellyfin = {
    enable = true;
    openFirewall = true;
  };
 }
--- a/hosts/blacksteel/services/jellyfin.nix
+++ b/hosts/blacksteel/services/jellyfin.nix
@ -1,6 +0,0 @@
 {
  services.jellyfin = {
    enable = true;
    openFirewall = true;
  };
 }
--- a/hosts/blacksteel/services/mastodon.nix
+++ b/hosts/blacksteel/services/mastodon.nix
@ -1,37 +0,0 @@
 {config, ...}: {
  services.mastodon = {
    enable = true;
    localDomain = "ny4.dev";
    streamingProcesses = 1;
    mediaAutoRemove.olderThanDays = 14;
    # FIXME: this doesn't exist
    smtp = {
      createLocally = false;
      fromAddress = "mastodon@ny4.dev";
    };
    extraConfig = rec {
      SINGLE_USER_MODE = "true";
      WEB_DOMAIN = "mastodon.ny4.dev";
      # keycloak
      OMNIAUTH_ONLY = "true";
      OIDC_ENABLED = "true";
      OIDC_CLIENT_ID = "mastodon";
      # OIDC_CLIENT_SECRET # EnvironmentFile
      OIDC_DISCOVERY = "true";
      OIDC_DISPLAY_NAME = "id.ny4.dev";
      OIDC_ISSUER = "https://id.ny4.dev/realms/ny4";
      OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback";
      OIDC_SCOPE = "openid,profile,email";
      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
      OIDC_UID_FIELD = "preferred_username";
    };
  };
  systemd.services.mastodon-web = {
    environment = config.networking.proxy.envVars;
    serviceConfig.EnvironmentFile = [config.sops.secrets."mastodon/environment".path];
  };
  systemd.services.mastodon-sidekiq-all.environment = config.networking.proxy.envVars;
 }
--- a/hosts/blacksteel/services/matrix.nix
+++ b/hosts/blacksteel/services/matrix.nix
@ -1,62 +0,0 @@
 {config, ...}: {
  services.matrix-synapse = {
    enable = true;
    withJemalloc = true;
    enableRegistrationScript = false;
    extraConfigFiles = [config.sops.secrets."synapse/secret".path];
    settings = {
      server_name = "ny4.dev";
      public_baseurl = "https://matrix.ny4.dev";
      presence.enabled = false; # tradeoff
      listeners = [
        {
          path = "/run/matrix-synapse/synapse.sock";
          type = "http";
          resources = [
            {
              names = ["client" "federation"];
              compress = true;
            }
          ];
        }
      ];
      # https://element-hq.github.io/synapse/latest/openid.html#keycloak
      oidc_providers = [
        {
          idp_id = "keycloak";
          idp_name = "id.ny4.dev";
          issuer = "https://id.ny4.dev/realms/ny4";
          client_id = "synapse";
          client_secret_path = config.sops.secrets."synapse/oidc".path;
          scopes = ["openid" "profile"];
          user_mapping_provider.config = {
            localpart_template = "{{ user.preferred_username }}";
            display_name_template = "{{ user.name }}";
          };
          backchannel_logout_enabled = true;
          allow_existing_users = true;
        }
      ];
    };
  };
  systemd.services.matrix-synapse = {
    environment = config.networking.proxy.envVars;
    serviceConfig.RuntimeDirectory = ["matrix-synapse"];
  };
  services.matrix-sliding-sync = {
    enable = true;
    environmentFile = config.sops.secrets."syncv3/environment".path;
    settings = {
      SYNCV3_SERVER = "/run/matrix-synapse/synapse.sock";
      SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock";
    };
  };
  systemd.services.matrix-sliding-sync.serviceConfig = {
    RuntimeDirectory = ["matrix-sliding-sync"];
    SupplementaryGroups = ["matrix-synapse"];
  };
 }
--- a/hosts/blacksteel/services/minecraft.nix
+++ b/hosts/blacksteel/services/minecraft.nix
@ -1,54 +0,0 @@
 {
  lib,
  pkgs,
  ...
 }: {
  services.minecraft-server = {
    enable = true;
    eula = true;
    openFirewall = true;
    package = pkgs.minecraftServers.vanilla-1-21;
    # Aikar's flag
    # https://aikar.co/2018/07/02/tuning-the-jvm-g1gc-garbage-collector-flags-for-minecraft/
    # https://docs.papermc.io/paper/aikars-flags
    jvmOpts = lib.concatStringsSep " " [
      "-Xms2G"
      "-Xmx2G"
      "-XX:+UseG1GC"
      "-XX:+ParallelRefProcEnabled"
      "-XX:MaxGCPauseMillis=200"
      "-XX:+UnlockExperimentalVMOptions"
      "-XX:+DisableExplicitGC"
      "-XX:+AlwaysPreTouch"
      "-XX:G1NewSizePercent=30"
      "-XX:G1MaxNewSizePercent=40"
      "-XX:G1HeapRegionSize=8M"
      "-XX:G1ReservePercent=20"
      "-XX:G1HeapWastePercent=5"
      "-XX:G1MixedGCCountTarget=4"
      "-XX:InitiatingHeapOccupancyPercent=15"
      "-XX:G1MixedGCLiveThresholdPercent=90"
      "-XX:G1RSetUpdatingPauseTimePercent=5"
      "-XX:SurvivorRatio=32"
      "-XX:+PerfDisableSharedMem"
      "-XX:MaxTenuringThreshold=1"
      "-Dusing.aikars.flags=https://mcflags.emc.gs"
      "-Daikars.new.flags=true"
    ];
    declarative = true;
    serverProperties = {
      motd = "NixOS Minecraft server!";
      white-list = true;
      difficulty = 3;
      gamemode = 0;
      max-players = 5;
    };
    whitelist = {
      "Guanran928" = "86dbb6c5-8d8b-4c45-b8eb-b3fdf03bfb27";
      "i_love_ravens" = "2788dd4b-b010-4a2f-9b5c-aad0c0e0cba5";
    };
  };
 }
--- a/hosts/blacksteel/services/qbittorrent.nix
+++ b/hosts/blacksteel/services/qbittorrent.nix
@ -1,7 +0,0 @@
 {pkgs, ...}: {
  # TODO: https://github.com/NixOS/nixpkgs/pull/287923
  # currently running qbittorrent-nox with tmux :c
  environment.systemPackages = with pkgs; [
    qbittorrent-nox
  ];
 }
--- a/hosts/blacksteel/services/samba.nix
+++ b/hosts/blacksteel/services/samba.nix
@ -1,15 +0,0 @@
 {
  services.samba = {
    enable = true;
    openFirewall = true;
    shares."external" = {
      "path" = "/mnt";
      "read only" = "no";
    };
  };
  services.samba-wsdd = {
    enable = true;
    openFirewall = true;
  };
 }
--- a/hosts/dust/default.nix
+++ b/hosts/dust/default.nix
@ -16,7 +16,7 @@
  networking.hostName = "dust";
  time.timeZone = "Asia/Shanghai";
-  system.stateVersion = "24.05";
+  system.stateVersion = "23.11";
  home-manager.users.guanranwang = import ./home;
--- a/hosts/lightsail-tokyo/Caddyfile
+++ b/hosts/lightsail-tokyo/Caddyfile
--- a/hosts/lightsail-tokyo/anti-feature.nix
+++ b/hosts/lightsail-tokyo/anti-feature.nix
--- a/hosts/lightsail-tokyo/default.nix
+++ b/hosts/lightsail-tokyo/default.nix
@ -0,0 +1,249 @@
 {
  lib,
  config,
  modulesPath,
  pkgs,
  ...
 }: {
  imports = [
    "${modulesPath}/virtualisation/amazon-image.nix"
    ../../nixos/profiles/server
    ./anti-feature.nix
  ];
  time.timeZone = "Asia/Tokyo";
  boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
  system.stateVersion = "23.11";
  swapDevices = [
    {
      device = "/var/lib/swapfile";
      size = 4 * 1024; # 4 GiB
    }
  ];
  # WORKAROUND:
  systemd.services."print-host-key".enable = false;
  ### Secrets
  sops.secrets = lib.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
    "hysteria/auth" = {
      restartUnits = ["hysteria.service"];
    };
    "pixivfe/environment" = {
      restartUnits = ["pixivfe.service"];
    };
    "searx/environment" = {
      restartUnits = ["searx.service"];
    };
    "miniflux/environment" = {
      restartUnits = ["miniflux.service"];
    };
  };
  ### Services
  networking.firewall.allowedUDPPorts = [443]; # hysteria
  networking.firewall.allowedTCPPorts = [80 443]; # caddy
  systemd.tmpfiles.settings = {
    "10-www" = {
      "/var/www/robots/robots.txt".C.argument = toString ./robots.txt;
      "/var/www/matrix/client".C.argument = toString ./matrix-client.json;
      "/var/www/matrix/server".C.argument = toString ./matrix-server.json;
    };
  };
  services.caddy = {
    enable = true;
    configFile = pkgs.substituteAll {
      src = ./Caddyfile;
      "element" = pkgs.element-web.override {
        element-web-unwrapped = pkgs.element-web-unwrapped.overrideAttrs (oldAttrs: {
          version = "1.11.72";
          src = oldAttrs.src.overrideAttrs {
            outputHash = "sha256-ZLSCbt00R3azFz2lOuj8yqaLFyobnmGmQKYOYLHCA1w=";
          };
          offlineCache = oldAttrs.offlineCache.overrideAttrs {
            outputHash = "sha256-7NXXjv7xNEBVRmWawpdfZBFV51hAspdP1oAURGaRg48=";
          };
        });
        conf.default_server_config."m.homeserver" = {
          base_url = "https://matrix.ny4.dev";
          server_name = "ny4.dev";
        };
      };
      "cinny" = pkgs.cinny.override {
        conf = {
          defaultHomeserver = 0;
          homeserverList = ["ny4.dev"];
        };
      };
      "mastodon" = pkgs.mastodon;
    };
  };
  services.hysteria = {
    enable = true;
    settings = {
      auth = {
        type = "userpass";
        userpass = {
          _secret = "/run/credentials/hysteria.service/auth";
          quote = false;
        };
      };
      masquerade = {
        type = "proxy";
        proxy.url = "https://ny4.dev/";
      };
      tls = {
        cert = "/run/credentials/hysteria.service/cert";
        key = "/run/credentials/hysteria.service/key";
      };
    };
  };
  systemd.services."hysteria".serviceConfig.LoadCredential = [
    # FIXME: remove hardcoded path
    "auth:${config.sops.secrets."hysteria/auth".path}"
    "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
    "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
  ];
  # `journalctl -u murmur.service | grep Password`
  services.murmur = {
    enable = true;
    openFirewall = true;
    bandwidth = 256 * 1024; # 256 Kbit/s
  };
  services.searx = {
    enable = true;
    package = pkgs.searxng;
    environmentFile = config.sops.secrets."searx/environment".path;
    settings = {
      general.contact_url = "mailto:guanran928@outlook.com";
      search.autocomplete = "google";
      server = {
        port = 8100;
        secret_key = "@SEARX_SECRET@";
      };
    };
  };
  services.wastebin = {
    enable = true;
    settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
  };
  services.uptime-kuma = {
    enable = true;
    settings.PORT = "8300";
  };
  services.ntfy-sh = {
    enable = true;
    settings = {
      base-url = "https://ntfy.ny4.dev";
      listen-http = "";
      listen-unix = "/run/ntfy-sh/ntfy.sock";
      listen-unix-mode = 511; # 0777
      behind-proxy = true;
    };
  };
  systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = ["ntfy-sh"];
  services.pixivfe = {
    enable = true;
    EnvironmentFile = config.sops.secrets."pixivfe/environment".path;
    settings = {
      PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock";
      PIXIVFE_IMAGEPROXY = "https://i.pixiv.re";
    };
  };
  systemd.services.pixivfe.serviceConfig = {
    RuntimeDirectory = ["pixivfe"];
    ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" ''
      ${pkgs.coreutils}/bin/sleep 5
      ${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock
    '';
  };
  services.keycloak = {
    enable = true;
    settings = {
      cache = "local";
      hostname = "id.ny4.dev";
      http-host = "127.0.0.1";
      http-port = 8800;
      proxy = "edge";
      # proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS.
    };
    database.passwordFile = toString (pkgs.writeText "password" "keycloak");
  };
  services.forgejo = {
    enable = true;
    package = pkgs.forgejo;
    database.type = "postgres";
    settings = {
      server = {
        DOMAIN = "git.ny4.dev";
        PROTOCOL = "http+unix";
        ROOT_URL = "https://git.ny4.dev/";
        SSH_DOMAIN = "tyo0.ny4.dev";
      };
      service = {
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
      };
    };
  };
  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.sops.secrets."miniflux/environment".path;
    config = {
      LISTEN_ADDR = "127.0.0.1:9300";
      BASE_URL = "https://rss.ny4.dev";
      OAUTH2_PROVIDER = "oidc";
      OAUTH2_CLIENT_ID = "miniflux";
      # OAUTH2_CLIENT_SECRET = "replace_me"; # EnvironmentFile
      OAUTH2_REDIRECT_URL = "https://rss.ny4.dev/oauth2/oidc/callback";
      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.ny4.dev/realms/ny4";
    };
  };
  services.redlib = {
    enable = true;
    address = "127.0.0.1";
    port = 9400;
  };
  ### Prevents me from bankrupt
  # https://fmk.im/p/shutdown-aws/
  services.vnstat.enable = true;
  systemd.services."no-bankrupt" = {
    serviceConfig.Type = "oneshot";
    path = with pkgs; [coreutils gawk vnstat systemd];
    script = ''
      TRAFF_TOTAL=1900
      TRAFF_USED=$(vnstat --oneline b | awk -F ';' '{print $11}')
      CHANGE_TO_GB=$(($TRAFF_USED / 1073741824))
      if [ $CHANGE_TO_GB -gt $TRAFF_TOTAL ]; then
          shutdown -h now
      fi
    '';
  };
  systemd.timers."no-bankrupt" = {
    timerConfig.OnCalendar = "*:0:0"; # Check every hour
  };
 }
--- a/hosts/lightsail-tokyo/matrix-client.json
+++ b/hosts/lightsail-tokyo/matrix-client.json
--- a/hosts/lightsail-tokyo/matrix-server.json
+++ b/hosts/lightsail-tokyo/matrix-server.json
--- a/hosts/lightsail-tokyo/robots.txt
+++ b/hosts/lightsail-tokyo/robots.txt
--- a/hosts/lightsail-tokyo/secrets.yaml
+++ b/hosts/lightsail-tokyo/secrets.yaml
--- a/hosts/tyo0/default.nix
+++ b/hosts/tyo0/default.nix
@ -1,151 +0,0 @@
 {
  lib,
  modulesPath,
  pkgs,
  ...
 }: {
  imports = [
    "${modulesPath}/virtualisation/amazon-image.nix"
    ../../nixos/profiles/server
    ./anti-feature.nix
    ./services/forgejo.nix
    ./services/hysteria.nix
    ./services/keycloak.nix
    ./services/miniflux.nix
    ./services/murmur.nix
    ./services/ntfy.nix
    ./services/pixivfe.nix
    ./services/searx.nix
  ];
  time.timeZone = "Asia/Tokyo";
  boot.loader.grub.device = lib.mkForce "/dev/nvme0n1";
  system.stateVersion = "24.05";
  swapDevices = [
    {
      device = "/var/lib/swapfile";
      size = 4 * 1024; # 4 GiB
    }
  ];
  # WORKAROUND:
  systemd.services."print-host-key".enable = false;
  ### Secrets
  sops.secrets = lib.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
    "hysteria/auth" = {
      restartUnits = ["hysteria.service"];
    };
    "pixivfe/environment" = {
      restartUnits = ["pixivfe.service"];
    };
    "searx/environment" = {
      restartUnits = ["searx.service"];
    };
    "miniflux/environment" = {
      restartUnits = ["miniflux.service"];
    };
  };
  ### Services
  networking.firewall.allowedUDPPorts = [443]; # hysteria
  networking.firewall.allowedTCPPorts = [80 443]; # caddy
  systemd.tmpfiles.settings = {
    "10-www" = {
      "/var/www/robots/robots.txt".C.argument = toString ./robots.txt;
      "/var/www/matrix/client".C.argument = toString ./matrix-client.json;
      "/var/www/matrix/server".C.argument = toString ./matrix-server.json;
    };
  };
  services.caddy = {
    enable = true;
    configFile = pkgs.substituteAll {
      src = ./Caddyfile;
      "element" = pkgs.element-web.override {
        element-web-unwrapped = pkgs.element-web-unwrapped.overrideAttrs (oldAttrs: {
          version = "1.11.74-rc.0";
          src = oldAttrs.src.overrideAttrs {
            outputHash = "sha256-Dik4vBzybkb6Q7OgEDrQ3FBaUGOmUxr9SplyNm1JWZU=";
          };
          offlineCache = oldAttrs.offlineCache.overrideAttrs {
            outputHash = "sha256-+SSsFUVIVuNpy+CQT6+oFIGvzQLAHEokibXtxsidumQ=";
          };
        });
        conf.default_server_config."m.homeserver" = {
          base_url = "https://matrix.ny4.dev";
          server_name = "ny4.dev";
        };
      };
      "cinny" = pkgs.cinny.override {
        conf = {
          defaultHomeserver = 0;
          homeserverList = ["ny4.dev"];
        };
      };
      "mastodon" = pkgs.mastodon;
    };
  };
  services.postgresql = {
    package = pkgs.postgresql_16;
    settings = {
      max_connections = 200;
      shared_buffers = "256MB";
      effective_cache_size = "768MB";
      maintenance_work_mem = "64MB";
      checkpoint_completion_target = 0.9;
      wal_buffers = "7864kB";
      default_statistics_target = 100;
      random_page_cost = 1.1;
      effective_io_concurrency = 200;
      work_mem = "655kB";
      huge_pages = "off";
      min_wal_size = "1GB";
      max_wal_size = "4GB";
    };
  };
  services.wastebin = {
    enable = true;
    settings.WASTEBIN_ADDRESS_PORT = "127.0.0.1:8200";
  };
  services.uptime-kuma = {
    enable = true;
    settings.PORT = "8300";
  };
  services.redlib = {
    enable = true;
    address = "127.0.0.1";
    port = 9400;
  };
  ### Prevents me from bankrupt
  # https://fmk.im/p/shutdown-aws/
  services.vnstat.enable = true;
  systemd.services."no-bankrupt" = {
    serviceConfig.Type = "oneshot";
    path = with pkgs; [coreutils gawk vnstat systemd];
    script = ''
      TRAFF_TOTAL=1900
      TRAFF_USED=$(vnstat --oneline b | awk -F ';' '{print $11}')
      CHANGE_TO_GB=$(($TRAFF_USED / 1073741824))
      if [ $CHANGE_TO_GB -gt $TRAFF_TOTAL ]; then
          shutdown -h now
      fi
    '';
  };
  systemd.timers."no-bankrupt" = {
    timerConfig.OnCalendar = "*:0:0"; # Check every hour
  };
 }
--- a/hosts/tyo0/services/forgejo.nix
+++ b/hosts/tyo0/services/forgejo.nix
@ -1,19 +0,0 @@
 {pkgs, ...}: {
  services.forgejo = {
    enable = true;
    package = pkgs.forgejo;
    database.type = "postgres";
    settings = {
      server = {
        DOMAIN = "git.ny4.dev";
        PROTOCOL = "http+unix";
        ROOT_URL = "https://git.ny4.dev/";
        SSH_DOMAIN = "tyo0.ny4.dev";
      };
      service = {
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
      };
    };
  };
 }
--- a/hosts/tyo0/services/hysteria.nix
+++ b/hosts/tyo0/services/hysteria.nix
@ -1,29 +0,0 @@
 {config, ...}: {
  services.hysteria = {
    enable = true;
    settings = {
      auth = {
        type = "userpass";
        userpass = {
          _secret = "/run/credentials/hysteria.service/auth";
          quote = false;
        };
      };
      masquerade = {
        type = "proxy";
        proxy.url = "https://ny4.dev/";
      };
      tls = {
        cert = "/run/credentials/hysteria.service/cert";
        key = "/run/credentials/hysteria.service/key";
      };
    };
  };
  systemd.services."hysteria".serviceConfig.LoadCredential = [
    # FIXME: remove hardcoded path
    "auth:${config.sops.secrets."hysteria/auth".path}"
    "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
    "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
  ];
 }
--- a/hosts/tyo0/services/keycloak.nix
+++ b/hosts/tyo0/services/keycloak.nix
@ -1,14 +0,0 @@
 {pkgs, ...}: {
  services.keycloak = {
    enable = true;
    settings = {
      cache = "local";
      hostname = "id.ny4.dev";
      http-host = "127.0.0.1";
      http-port = 8800;
      proxy = "edge";
      # proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS.
    };
    database.passwordFile = toString (pkgs.writeText "password" "keycloak");
  };
 }
--- a/hosts/tyo0/services/miniflux.nix
+++ b/hosts/tyo0/services/miniflux.nix
@ -1,16 +0,0 @@
 {config, ...}: {
  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.sops.secrets."miniflux/environment".path;
    config = {
      LISTEN_ADDR = "127.0.0.1:9300";
      BASE_URL = "https://rss.ny4.dev";
      OAUTH2_PROVIDER = "oidc";
      OAUTH2_CLIENT_ID = "miniflux";
      # OAUTH2_CLIENT_SECRET = "replace_me"; # EnvironmentFile
      OAUTH2_REDIRECT_URL = "https://rss.ny4.dev/oauth2/oidc/callback";
      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.ny4.dev/realms/ny4";
    };
  };
 }
--- a/hosts/tyo0/services/murmur.nix
+++ b/hosts/tyo0/services/murmur.nix
@ -1,8 +0,0 @@
 {
  # `journalctl -u murmur.service | grep Password`
  services.murmur = {
    enable = true;
    openFirewall = true;
    bandwidth = 256 * 1024; # 256 Kbit/s
  };
 }
--- a/hosts/tyo0/services/ntfy.nix
+++ b/hosts/tyo0/services/ntfy.nix
@ -1,14 +0,0 @@
 {
  services.ntfy-sh = {
    enable = true;
    settings = {
      base-url = "https://ntfy.ny4.dev";
      listen-http = "";
      listen-unix = "/run/ntfy-sh/ntfy.sock";
      listen-unix-mode = 511; # 0777
      behind-proxy = true;
    };
  };
  systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = ["ntfy-sh"];
 }
--- a/hosts/tyo0/services/pixivfe.nix
+++ b/hosts/tyo0/services/pixivfe.nix
@ -1,22 +0,0 @@
 {
  pkgs,
  config,
  ...
 }: {
  services.pixivfe = {
    enable = true;
    EnvironmentFile = config.sops.secrets."pixivfe/environment".path;
    settings = {
      PIXIVFE_UNIXSOCKET = "/run/pixivfe/pixiv.sock";
      PIXIVFE_IMAGEPROXY = "https://i.pixiv.re";
    };
  };
  systemd.services.pixivfe.serviceConfig = {
    RuntimeDirectory = ["pixivfe"];
    ExecStartPost = pkgs.writeShellScript "pixivfe-unixsocket" ''
      ${pkgs.coreutils}/bin/sleep 5
      ${pkgs.coreutils}/bin/chmod 777 /run/pixivfe/pixiv.sock
    '';
  };
 }
--- a/hosts/tyo0/services/searx.nix
+++ b/hosts/tyo0/services/searx.nix
@ -1,19 +0,0 @@
 {
  pkgs,
  config,
  ...
 }: {
  services.searx = {
    enable = true;
    package = pkgs.searxng;
    environmentFile = config.sops.secrets."searx/environment".path;
    settings = {
      general.contact_url = "mailto:guanran928@outlook.com";
      search.autocomplete = "google";
      server = {
        port = 8100;
        secret_key = "@SEARX_SECRET@";
      };
    };
  };
 }
--- a/nixos/profiles/opt-in/mihomo/config.yaml
+++ b/nixos/profiles/opt-in/mihomo/config.yaml
@ -11,6 +11,7 @@ use: &use
  type: select
  use:
    - efcloud
    - flyairport
    - spcloud
 port: 7890
@ -29,6 +30,9 @@ proxy-providers:
  efcloud:
    <<: *fetch
    url: "@clash/proxy-providers/efcloud@"
  flyairport:
    <<: *fetch
    url: "@clash/proxy-providers/flyairport@"
  spcloud:
    <<: *fetch
    url: "@clash/proxy-providers/spcloud@"
--- a/nixos/profiles/opt-in/mihomo/default.nix
+++ b/nixos/profiles/opt-in/mihomo/default.nix
@ -10,10 +10,10 @@
    webui = pkgs.metacubexd;
  };
-  systemd.services.mihomo.serviceConfig.preStart = ''
+  systemd.services.mihomo.serviceConfig.ExecStartPre = [
-    ${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-geoip}/share/v2ray/geoip.dat /var/lib/private/mihomo/GeoIP.dat
+    "${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-geoip}/share/v2ray/geoip.dat /var/lib/private/mihomo/GeoIP.dat"
-    ${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-domain-list-community}/share/v2ray/geosite.dat /var/lib/private/mihomo/GeoSite.dat
+    "${pkgs.coreutils}/bin/ln -sf ${pkgs.v2ray-domain-list-community}/share/v2ray/geosite.dat /var/lib/private/mihomo/GeoSite.dat"
-  '';
+  ];
  ### System proxy settings
  networking.proxy.default = "http://127.0.0.1:7890/";
@ -34,12 +34,13 @@
    "clash/secret" = {};
    "clash/proxies/lightsail" = {};
    "clash/proxy-providers/efcloud" = {};
    "clash/proxy-providers/flyairport" = {};
    "clash/proxy-providers/spcloud" = {};
  };
  # why not substituteAll? see https://github.com/NixOS/nixpkgs/issues/237216
  sops.templates."clash.yaml".file = let
-    substituteAll' = {src, ...} @ args: let
+    substituteV2 = {src, ...} @ args: let
      args' = lib.removeAttrs args ["src"];
    in
      pkgs.substitute {
@ -47,13 +48,14 @@
        substitutions = lib.flatten (lib.mapAttrsToList (n: v: ["--subst-var-by" n v]) args');
      };
  in
-    substituteAll' {
+    substituteV2 {
      src = ./config.yaml;
      inherit
        (config.sops.placeholder)
        "clash/secret"
        "clash/proxies/lightsail"
        "clash/proxy-providers/efcloud"
        "clash/proxy-providers/flyairport"
        "clash/proxy-providers/spcloud"
        ;
    };
--- a/nixos/profiles/opt-in/mihomo/secrets.yaml
+++ b/nixos/profiles/opt-in/mihomo/secrets.yaml
@ -3,6 +3,7 @@ clash:
    proxies:
        lightsail: ENC[AES256_GCM,data:YfyZsBi3yMIAMIjotAk4g4M+yYYozSSbKE77oz3lwbRHCMVJqxeo5nR04HrG8Hy2mQvVV09et1MbgnDMhEaSERZvsfaBojFUoRE6Du18n1ET8P1/ez5aKgC6ZnHy90a99mktqD4QDGNE8VDX2xBtNcVLF6i9dJ9di9tJEtnOdw+Q,iv:/uqtX6E2I0sqSWt2FmKwzG9zQb2TjdQqfDBZQXLh8cs=,tag:ofvc5GKEPrizajUaevI1jA==,type:str]
    proxy-providers:
        flyairport: ENC[AES256_GCM,data:x6li/5tWuAX9ZvLVUETLaBDqjB8pb8vSD9jD8HDMXNiiilq03RVHx7eXTiWMVJMlRUBOxvhTXH1fQxzye34aZQMx4BftMOQzvG5soF/P+K5hGapC9wbFnoH8znHkAdIgRLIeDBHRix3ll2OqGhqCENkWF4jjs/Pxqfz5bJlhcA==,iv:lO59riu5seloBRIy8QG02afNciEKvElzovLyaX90iSA=,tag:/L+elOLB2agQdRvg9tR0WQ==,type:str]
        efcloud: ENC[AES256_GCM,data:36mToXGiHVAgM4vVQFOYvNPaHHuVf4mtvnNOgMBTyzbZ/mKpT1Exx7rWZ7i9EVBy5eX7SJtKmnHs0CqD48hr7R708W2oW3YNPEfkK7aGDqfQFyS1TVjT+MM=,iv:+qiFyM10fcAjcdyVZCC+0hb83GYENooM52+1GPXpamQ=,tag:wZupiFJMQq8A5ZwJtjXiOg==,type:str]
        spcloud: ENC[AES256_GCM,data:gmJM+sTTaUrIxQXRBlDtE+K1gEfseMPUC2AQLq1LeY6iQmgq3wK7oJlz+buLbm/LUDitvls9d517905hz/Mpp2F7ohBeW9m1Jkcvdh/Zfgnfqg==,iv:FPe//+/ZMDZloZg2AnQ7JXRzqZdKDjLYs3wqMxqNA/Y=,tag:JPEU/WnUfy8bNlhAgPQwJw==,type:str]
 sops:
@ -47,8 +48,8 @@ sops:
            UG9TTEV5R0R2bm5lUTAwSWlaelJFcW8KfBuQEVhkYJ74wYUjEcFYXFf9oWSSdkGR
            Yu5lpV9UsjaiJxaD1Qp4xtNgMzzLW7q6surQGEReTDBbN1ZCx+S3Aw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-10T15:24:00Z"
+    lastmodified: "2024-07-09T22:04:17Z"
-    mac: ENC[AES256_GCM,data:BGF/DAfOhdw0YZ6PGipXu0sL9+8E1s509bg89dMnAtf1WfreFCQMuHe7uqfkC3Be99proNgJ1O5fWTENaynXyMKto1YF+7z9ZZ3CCOceFLNqbBucaxRFAO+tkMlVixLoqIvEHdyoZD+iM45wOO6mn+/o6wR/z3Ze36wmZCJ1+4c=,iv:s9N2lNx1SwPm0qNyqgGm2Qp5zS4xIhxwp2kj7sQmcQc=,tag:o1/WS7b7FR//IZK1iNQkCg==,type:str]
+    mac: ENC[AES256_GCM,data:iKwYqxBllI8SydCUjyK2cJkcUKVj4CqjmfDSMNJtLwM6IWUoOScV4Pu0YJz0aui5F8nbyC92vdDwsE599GZMTWdCH20MeWEMo7pbkPFxxL1bY5BMCNNE3Tm354nz4ihmBXMB9aI1JRiSareV5yQ1v6lOxzDargDigMrPI/6DRfo=,iv:JRvJQ3YdFZsBstT55xKcCMGJODy42FImugHbwEbpV2I=,tag:go33lpTdouZoFk53g9FXTw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/treefmt.nix
+++ b/treefmt.nix
@ -2,15 +2,15 @@
  projectRootFile = "flake.nix";
  ### nix
  programs.alejandra.enable = true;
  programs.deadnix.enable = true;
  programs.statix.enable = true;
  programs.alejandra.enable = true;
  ### misc
  programs.prettier.enable = true;
  settings.formatter.prettier.excludes = [
    "hosts/blacksteel/secrets.yaml"
-    "hosts/tyo0/secrets.yaml"
+    "hosts/lightsail-tokyo/secrets.yaml"
    "nixos/profiles/opt-in/mihomo/secrets.yaml"
    "nixos/profiles/opt-in/wireless/secrets.yaml"
    "secrets.yaml"