home/mpv: remove sponsorblock

home/sway: actually unset immodule variables
home/mpv: add anime4k
2024-07-20 17:04:44 +08:00 · 2024-07-20 17:04:44 +08:00 · 2024-07-20 17:04:44 +08:00 · 2024-07-20 17:04:44 +08:00 · 2024-07-20 17:04:43 +08:00 · 2024-07-20 17:04:43 +08:00
111 changed files with 1130 additions and 2179 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -18,6 +18,18 @@ creation_rules:
      - age:
          - *guanranwang
          - *lightsail-tokyo
  - path_regex: nixos/profiles/opt-in/mihomo/secrets.yaml$
    key_groups:
      - age:
          - *guanranwang
          - *aristotle
          - *blacksteel
  - path_regex: nixos/profiles/opt-in/wireless/secrets.yaml$
    key_groups:
      - age:
          - *guanranwang
          - *aristotle
          - *blacksteel
  - path_regex: secrets.yaml$
    key_groups:
      - age:
--- a/README.md
+++ b/README.md
@ -4,9 +4,6 @@ It just works™
 ## Structure
 Any directory or file that is prefixed with an `_` (underscore) means that the
 whole directory/file is unused in this repository.
 ```
  .
 │   # Darwin configuration is not actively maintained and sometimes it might
@ -17,7 +14,7 @@ whole directory/file is unused in this repository.
 │  ├──  modules
 │  └──  profiles
 │
-│   # Personal packages, please see github:Guanran928/nur-packages instead
+│   # Internal packages, please see github:Guanran928/nur-packages instead
 ├──  pkgs
 ├──  hosts
 ├──  overlays
@ -27,54 +24,3 @@ whole directory/file is unused in this repository.
 │
 └──  README.md
 ```
 ## Installation:
 Please don't.
 ### NixOS:
 1. Clone this repository
   `$ git clone https://github.com/Guanran928/flake.git`
 2. Add your device's hardware configuration in `./flake.nix` and
   `./hosts/<hostname>`
 3. Install NixOS
   `$ nixos-install --flake <this flake's directory>#<hostname>`
 ### macOS:
 1. Install Nix using [`Determinate Nix Installer`](https://github.com/DeterminateSystems/nix-installer)
   `$ curl --proto '=https' --tlsv1.2 -fsSL https://install.determinate.systems/nix | sh -s -- install`
 2. Clone this repository
   `$ git clone https://github.com/Guanran928/flake.git`
 3. Add your device's hardware configuration in `./flake.nix` and
   `./hosts/<hostname>`
 4. Install [`nix-darwin`](https://github.com/LnL7/nix-darwin?tab=readme-ov-file#flakes)
   `$ nix run nix-darwin -- --flake <this flake's directory>#<hostname> switch`
 ### Nix-On-Droid:
 1. Install [`nix-on-droid`](https://github.com/nix-community/nix-on-droid) and bootstrap with Flakes
   F-Droid: https://f-droid.org/packages/com.termux.nix
 2. Clone this repository
   `$ nix shell nixpkgs#git`
   `$ git clone https://github.com/Guanran928/flake.git`
 3. Add your device's configuration in `./flake.nix` and `./hosts/<hostname>`
 4. Setup Nix-On-Droid
   `$ nix-on-droid --flake <this flake's directory>#<hostname>switch`
--- a/darwin/modules/default.nix
+++ b/darwin/modules/default.nix
@ -1,6 +1,6 @@
 {...}: {
  imports = [
    ./networking/proxy.nix
-    ./services/clash.nix
+    ./services/mihomo.nix
  ];
 }
--- a/darwin/modules/services/mihomo.nix
+++ b/darwin/modules/services/mihomo.nix
@ -4,30 +4,24 @@
  pkgs,
  ...
 }: let
-  cfg = config.services.clash;
+  cfg = config.services.mihomo;
 in {
-  options.services.clash = {
+  options.services.mihomo = {
-    enable = lib.mkEnableOption "Whether to enable Clash, A rule-based proxy in Go.";
+    enable = lib.mkEnableOption "Whether to enable Mihomo, A rule-based proxy in Go.";
-    package = lib.mkPackageOption pkgs "clash" {};
+    package = lib.mkPackageOption pkgs "mihomo" {};
    configFile = lib.mkOption {
      default = null;
      type = lib.types.nullOr lib.types.path;
      description = "Configuration file to use.";
    };
    webui = lib.mkOption {
      default = null;
      type = lib.types.nullOr lib.types.path;
      description = ''
        Local web interface to use.
        You can also use the following website, just in case:
        - metacubexd:
          - http://d.metacubex.one
          - https://metacubex.github.io/metacubexd
          - https://metacubexd.pages.dev
        - yacd:
          - https://yacd.haishan.me
-        - clash-dashboard (buggy):
+        - clash-dashboard:
          - https://clash.razord.top
      '';
    };
@ -41,11 +35,10 @@ in {
  config = lib.mkIf cfg.enable {
    ### launchd service
    # TODO: not run as root user
-    launchd.daemons."clash" = {
+    launchd.daemons."mihomo" = {
      command = builtins.concatStringsSep " " [
        (lib.getExe cfg.package)
-        "-d /etc/clash"
+        "-d /etc/mihomo"
        (lib.optionalString (cfg.configFile != null) "-f ${cfg.configFile}")
        (lib.optionalString (cfg.webui != null) "-ext-ui ${cfg.webui}")
        (lib.optionalString (cfg.extraOpts != null) cfg.extraOpts)
      ];
--- a/darwin/profiles/common/core/nix/nix.nix
+++ b/darwin/profiles/common/core/nix/nix.nix
@ -1,4 +1,5 @@
 {
  lib,
  pkgs,
  config,
  ...
@ -6,23 +7,15 @@
  nix.settings = {
    trusted-users = ["@admin"];
    substituters =
-      {
+      (lib.optionals (config.time.timeZone == "Asia/Shanghai") [
        "Asia/Shanghai" = [
          "https://mirror.sjtu.edu.cn/nix-channels/store" # SJTU - 上海交通大学 Mirror
          "https://mirrors.ustc.edu.cn/nix-channels/store" # USTC - 中国科学技术大学 Mirror
        "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" # TUNA - 清华大学 Mirror
-        ];
+      ])
      }
      .${config.time.timeZone}
      or []
      ++ [
        "https://nix-community.cachix.org"
        "https://cache.garnix.io"
        "https://guanran928.cachix.org"
      ];
    trusted-public-keys = [
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
      "guanran928.cachix.org-1:BE/iBCj2/pqJXG908wHRrcaV0B2fC+KbFjHsXY6b91c="
    ];
    use-xdg-base-directories = true;
--- a/darwin/profiles/common/opt-in/gaming/default.nix
+++ b/darwin/profiles/common/opt-in/gaming/default.nix
@ -1,8 +0,0 @@
 {
  ### home-manager
  home-manager.users.guanranwang = import ./home;
  homebrew.casks = [
    "steam"
  ];
 }
--- a/darwin/profiles/common/opt-in/gaming/home/default.nix
+++ b/darwin/profiles/common/opt-in/gaming/home/default.nix
@ -1,5 +0,0 @@
 {...}: {
  imports = [
    ../../../../../home/applications/prismlauncher
  ];
 }
--- a/darwin/profiles/common/opt-in/mihomo.nix
+++ b/darwin/profiles/common/opt-in/mihomo.nix
@ -1,12 +1,7 @@
-{
+{pkgs, ...}: {
-  pkgs,
+  services.mihomo = {
  config,
  ...
 }: {
  services.clash = {
    enable = true;
-    package = pkgs.clash-meta;
+    webui = pkgs.metacubexd;
    webui = config.nur.repos.guanran928.metacubexd;
  };
  ### System proxy settings
--- a/darwin/profiles/desktop/home/default.nix
+++ b/darwin/profiles/desktop/home/default.nix
@ -5,9 +5,8 @@
  ...
 }: {
  imports = map (n: ../../../../home/applications/${n}) [
    "alacritty"
    "go"
-    "mpv"
+    # "mpv"
    "nix"
  ];
@ -32,11 +31,4 @@
    dockutil
    gawk
  ];
  # macOS don't have fontconfig
  programs = let
    monospace = "JetBrainsMono Nerd Font";
  in {
    alacritty.settings.font.normal.family = monospace;
  };
 }
--- a/darwin/profiles/desktop/packages/_homebrew.nix
+++ b/darwin/profiles/desktop/packages/_homebrew.nix
@ -1,11 +0,0 @@
 {
  homebrew = {
    enable = true;
    casks = [
      "altserver"
      "squirrel"
      "librewolf"
      "google-chrome"
    ];
  };
 }
--- a/darwin/profiles/desktop/packages/default.nix
+++ b/darwin/profiles/desktop/packages/default.nix
@ -1,7 +1,6 @@
 {...}: {
  imports = [
    ./fonts.nix
    # ./homebrew.nix
    ./window-manager.nix
  ];
 }
--- a/darwin/profiles/desktop/packages/fonts.nix
+++ b/darwin/profiles/desktop/packages/fonts.nix
@ -1,6 +1,5 @@
 {pkgs, ...}: {
-  fonts.fontDir.enable = true;
+  fonts.packages = with pkgs; [
  fonts.fonts = with pkgs; [
    (nerdfonts.override {fonts = ["JetBrainsMono"];})
  ];
 }
--- a/darwin/profiles/desktop/packages/window-manager.nix
+++ b/darwin/profiles/desktop/packages/window-manager.nix
@ -21,6 +21,7 @@
    skhd = {
      enable = true;
      skhdConfig = ''
        # FIXME
        cmd - return : open -n ${pkgs.alacritty}/Applications/Alacritty.app
        cmd - 1 : yabai -m space --focus 1             # Focus space
--- a/flake.lock
+++ b/flake.lock
@ -10,11 +10,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1717970544,
+        "lastModified": 1720211568,
-        "narHash": "sha256-YX43aaegfqjXaZ3S+z0JI7SKOEE1Afqm/I9FBIezJ7A=",
+        "narHash": "sha256-Uph6rcbiuOD6bGEySonDFozdO+mznTug08x27WG4BIg=",
        "owner": "ezKEa",
        "repo": "aagl-gtk-on-nix",
-        "rev": "85c380e4e80fbc21d25165626ad2897cbb11af4d",
+        "rev": "ce7e02b20fe45425bbdbebc6fe0fdcc018c9efc6",
        "type": "github"
      },
      "original": {
@ -23,29 +23,6 @@
        "type": "github"
      }
    },
    "berberman": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ],
        "nvfetcher": [
          "nvfetcher"
        ]
      },
      "locked": {
        "lastModified": 1718252558,
        "narHash": "sha256-Yph5ocpdI3a1Ib+V9BQ4/0YyO4UVn8J0WeAvOLYGaGk=",
        "owner": "berberman",
        "repo": "flakes",
        "rev": "73949fb5964f243ff9c28887bfc99c2fe12407c3",
        "type": "github"
      },
      "original": {
        "owner": "berberman",
        "repo": "flakes",
        "type": "github"
      }
    },
    "crane": {
      "inputs": {
        "nixpkgs": [
@ -53,11 +30,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1718078026,
+        "lastModified": 1721058578,
-        "narHash": "sha256-LbQabH6h86ZzTvDnaZHmMwedRZNB2jYtUQzmoqWQoJ8=",
+        "narHash": "sha256-fs/PVa3H5dS1//4BjecWi3nitXm5fRObx0JxXIAo+JA=",
        "owner": "ipetkov",
        "repo": "crane",
-        "rev": "a3f0c63eed74a516298932b9b1627dd80b9c3892",
+        "rev": "17e5109bb1d9fb393d70fba80988f7d70d1ded1a",
        "type": "github"
      },
      "original": {
@ -73,11 +50,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1718242063,
+        "lastModified": 1721266288,
-        "narHash": "sha256-n3AWItJ4a94GT0cray/eUV7tt3mulQ52L+lWJN9d1E8=",
+        "narHash": "sha256-MsyTzXu9CJVcBr44ct8ILKF/Ro7VlF+tVZTylzAoXSs=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "832a9f2c81ff3485404bd63952eadc17bf7ccef2",
+        "rev": "e8e8d9a3a9c1d0e654ccda7834bf0288a9d15c47",
        "type": "github"
      },
      "original": {
@ -108,11 +85,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1717285511,
+        "lastModified": 1719994518,
-        "narHash": "sha256-iKzJcpdXih14qYVcZ9QC9XuZYnPc6T8YImb6dX166kw=",
+        "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "2a55567fcf15b1b1c7ed712a2c6fadaec7412ea8",
+        "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7",
        "type": "github"
      },
      "original": {
@ -168,11 +145,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1718243258,
+        "lastModified": 1721135958,
-        "narHash": "sha256-abBpj2VU8p6qlRzTU8o22q68MmOaZ4v8zZ4UlYl5YRU=",
+        "narHash": "sha256-H548rpPMsn25LDKn1PCFmPxmWlClJJGnvdzImHkqjuY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "8d5e27b4807d25308dfe369d5a923d87e7dbfda3",
+        "rev": "afd2021bedff2de92dfce0e257a3d03ae65c603d",
        "type": "github"
      },
      "original": {
@ -183,11 +160,11 @@
    },
    "impermanence": {
      "locked": {
-        "lastModified": 1717932370,
+        "lastModified": 1719091691,
-        "narHash": "sha256-7C5lCpiWiyPoIACOcu2mukn/1JRtz6HC/1aEMhUdcw0=",
+        "narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=",
        "owner": "nix-community",
        "repo": "impermanence",
-        "rev": "27979f1c3a0d3b9617a3563e2839114ba7d48d3f",
+        "rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a",
        "type": "github"
      },
      "original": {
@ -221,11 +198,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1718218065,
+        "lastModified": 1719818887,
-        "narHash": "sha256-fKC7Ryg3AYykDrS2ilS1VqA8/9B2m3yFZcshK+7tIEc=",
+        "narHash": "sha256-Bogl1pJlgby7OpR16jp8zwOWV7FHRxCsnNxHcisyIq0=",
        "owner": "nix-community",
        "repo": "lanzaboote",
-        "rev": "7cb05fab896bd542c0ca4260d74d9d664cd7b56e",
+        "rev": "0e6457c98547ec8866714d4222545e7e8c1ae429",
        "type": "github"
      },
      "original": {
@ -250,17 +227,17 @@
        ]
      },
      "locked": {
-        "lastModified": 1712745718,
+        "lastModified": 1720421091,
-        "narHash": "sha256-pAPGjjPEC5Y3DeuqSlDgFRPAZStA1doWowOvmPY7jvk=",
+        "narHash": "sha256-BWvb+z+5LgfjIUIDrNr1Yv5R6ouDLKduZUoJKIQ83as=",
-        "owner": "Guanran928",
+        "ref": "refs/heads/master",
-        "repo": "nvim",
+        "rev": "012748be4f7011416261ec2d60adde19bf17d010",
-        "rev": "3fbc02368d9d554ac2918e48112fbc25957fb03a",
+        "revCount": 67,
-        "type": "github"
+        "type": "git",
        "url": "https://git.ny4.dev/nyancat/nvim"
      },
      "original": {
-        "owner": "Guanran928",
+        "type": "git",
-        "repo": "nvim",
+        "url": "https://git.ny4.dev/nyancat/nvim"
        "type": "github"
      }
    },
    "nix-darwin": {
@ -270,11 +247,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1718345812,
+        "lastModified": 1721270582,
-        "narHash": "sha256-FJhA+YFsOFrAYe6EaiTEfomNf7jeURaPiG5/+a3DRSc=",
+        "narHash": "sha256-MdZmYPPExntE5rJu88IhJSy8Um4UyZCTXhOwvzbjDVI=",
        "owner": "LnL7",
        "repo": "nix-darwin",
-        "rev": "ff988d78f2f55641efacdf9a585d2937f7e32a9b",
+        "rev": "a3e4a7b8ffc08c7dc1973822a77ad432e1ec3dec",
        "type": "github"
      },
      "original": {
@ -345,33 +322,13 @@
        "type": "github"
      }
    },
    "nixcasks": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs-stable"
        ]
      },
      "locked": {
        "lastModified": 1718401149,
        "narHash": "sha256-THXbbmhDZjEnc+372GYl3JpXKkkuo7nhShv66Reklsk=",
        "owner": "jacekszymanski",
        "repo": "nixcasks",
        "rev": "d35924a6bd7c8a34f31e885754a5564ea06ab833",
        "type": "github"
      },
      "original": {
        "owner": "jacekszymanski",
        "repo": "nixcasks",
        "type": "github"
      }
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1718349360,
+        "lastModified": 1720737798,
-        "narHash": "sha256-SuPne4BMqh9/IkKIAG47Cu5qfmntAaqlHdX1yuFoDO0=",
+        "narHash": "sha256-G/OtEAts7ZUvW5lrGMXSb8HqRp2Jr9I7reBuvCOL54w=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "ae5c8dcc4d0182d07d75df2dc97112de822cb9d6",
+        "rev": "c5013aa7ce2c7ec90acee5d965d950c8348db751",
        "type": "github"
      },
      "original": {
@ -397,11 +354,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1718276985,
+        "lastModified": 1721116560,
-        "narHash": "sha256-u1fA0DYQYdeG+5kDm1bOoGcHtX0rtC7qs2YA2N1X++I=",
+        "narHash": "sha256-++TYlGMAJM1Q+0nMVaWBSEvEUjRs7ZGiNQOpqbQApCU=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "3f84a279f1a6290ce154c5531378acc827836fbb",
+        "rev": "9355fa86e6f27422963132c2c9aeedb0fb963d93",
        "type": "github"
      },
      "original": {
@ -413,11 +370,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1718229064,
+        "lastModified": 1720535198,
-        "narHash": "sha256-ZFav8A9zPNfjZg/wrxh1uZeMJHELRfRgFP+meq01XYk=",
+        "narHash": "sha256-zwVvxrdIzralnSbcpghA92tWu2DV2lwv89xZc8MTrbg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "5c2ec3a5c2ee9909904f860dadc19bc12cd9cc44",
+        "rev": "205fd4226592cc83fd4c0885a3e4c9c400efabb5",
        "type": "github"
      },
      "original": {
@ -468,11 +425,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1718400242,
+        "lastModified": 1721267475,
-        "narHash": "sha256-gLX2eyWb8lVxwI5Uv0F5WKb+YwvlDYnI+sSQB2xMqhw=",
+        "narHash": "sha256-NlMApJs43ao6XhzG27HTkz8xK/UeeyfosVy7EswgzRg=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "d50ea2706590f0edce9f49d8990dbcf82cdb66ec",
+        "rev": "2ed5571f569d46f5b450dee4d4a1de6cb20ded55",
        "type": "github"
      },
      "original": {
@ -481,32 +438,6 @@
        "type": "github"
      }
    },
    "nvfetcher": {
      "inputs": {
        "flake-compat": [
          "flake-compat"
        ],
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1718252448,
        "narHash": "sha256-xZZBdKqe1ByITzvx65pVgGQ5jeb73MybjgrcfI84lEo=",
        "owner": "berberman",
        "repo": "nvfetcher",
        "rev": "fa7609950023462c6f91c425de7610c0bb6b86ba",
        "type": "github"
      },
      "original": {
        "owner": "berberman",
        "repo": "nvfetcher",
        "type": "github"
      }
    },
    "pre-commit-hooks-nix": {
      "inputs": {
        "flake-compat": [
@ -523,11 +454,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1717664902,
+        "lastModified": 1721042469,
-        "narHash": "sha256-7XfBuLULizXjXfBYy/VV+SpYMHreNRHk9nKMsm1bgb4=",
+        "narHash": "sha256-6FPUl7HVtvRHCCBQne7Ylp4p+dpP3P/OYuzjztZ4s70=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "cc4d466cb1254af050ff7bdf47f6d404a7c646d1",
+        "rev": "f451c19376071a90d8c58ab1a953c6e9840527fd",
        "type": "github"
      },
      "original": {
@ -539,7 +470,6 @@
    "root": {
      "inputs": {
        "aagl": "aagl",
        "berberman": "berberman",
        "crane": "crane",
        "disko": "disko",
        "flake-compat": "flake-compat",
@ -553,7 +483,6 @@
        "nix-darwin": "nix-darwin",
        "nix-formatter-pack": "nix-formatter-pack",
        "nix-on-droid": "nix-on-droid",
        "nixcasks": "nixcasks",
        "nixos-hardware": "nixos-hardware",
        "nixos-sensible": "nixos-sensible",
        "nixpkgs": "nixpkgs",
@ -561,7 +490,6 @@
        "nmd": "nmd",
        "nmt": "nmt",
        "nur": "nur",
        "nvfetcher": "nvfetcher",
        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
        "rust-overlay": "rust-overlay",
        "scss-reset": "scss-reset",
@ -573,19 +501,16 @@
    },
    "rust-overlay": {
      "inputs": {
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1718331519,
+        "lastModified": 1721269159,
-        "narHash": "sha256-6Ru37wS8uec626nHVIh6hSpCYB7eNc3RPFa2U//bhw4=",
+        "narHash": "sha256-eHrGuKZKQb762qdCkrfoyyxXLKumYhiXJca1ig0RftE=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "419e7fae2731f41dd9b3e34dfe8802be68558b92",
+        "rev": "c3e217122ac55680606d69bc693bdf262f14f602",
        "type": "github"
      },
      "original": {
@ -620,11 +545,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1718137936,
+        "lastModified": 1720926522,
-        "narHash": "sha256-psA+1Q5fPaK6yI3vzlLINNtb6EeXj111zQWnZYyJS9c=",
+        "narHash": "sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "c279dec105dd53df13a5e57525da97905cc0f0d6",
+        "rev": "0703ba03fd9c1665f8ab68cc3487302475164617",
        "type": "github"
      },
      "original": {
@ -640,11 +565,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1718239576,
+        "lastModified": 1721263500,
-        "narHash": "sha256-Afdz9oCQf8VCGXUhI8KxdJg9gc+fepZK//mYsijfhFw=",
+        "narHash": "sha256-6l0+MciXkktANuZ+Rwc6BZJxtMi7jHZRiSnzG+xpwyk=",
        "owner": "nix-community",
        "repo": "srvos",
-        "rev": "d6280e5c12c4ddb26f0807387777786c66e4c552",
+        "rev": "ef4f2248e1bbd84a0dd269ab31b9927d9c0bf2e6",
        "type": "github"
      },
      "original": {
@ -675,11 +600,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1718271476,
+        "lastModified": 1721059077,
-        "narHash": "sha256-35hUMmFesmchb+u7heKHLG5B6c8fBOcSYo0jj0CHLes=",
+        "narHash": "sha256-gCICMMX7VMSKKt99giDDtRLkHJ0cwSgBtDijJAqTlto=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "e75ba0a6bb562d2ce275db28f6a36a2e4fd81391",
+        "rev": "0fb28f237f83295b4dd05e342f333b447c097398",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -15,11 +15,6 @@
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-compat.follows = "flake-compat";
    };
    berberman = {
      url = "github:berberman/flakes";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.nvfetcher.follows = "nvfetcher";
    };
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
@ -46,7 +41,7 @@
      inputs.rust-overlay.follows = "rust-overlay";
    };
    neovim = {
-      url = "github:Guanran928/nvim";
+      url = "git+https://git.ny4.dev/nyancat/nvim";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
      inputs.treefmt-nix.follows = "treefmt-nix";
@ -71,11 +66,6 @@
      inputs.nix-formatter-pack.follows = "nix-formatter-pack";
      inputs.nmd.follows = "nmd";
    };
    nixcasks = {
      # contains unfree
      url = "github:jacekszymanski/nixcasks";
      inputs.nixpkgs.follows = "nixpkgs-stable";
    };
    nur = {
      url = "github:nix-community/NUR";
    };
@ -125,12 +115,6 @@
      url = "sourcehut:~rycee/nmt";
      flake = false;
    };
    nvfetcher = {
      url = "github:berberman/nvfetcher";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-compat.follows = "flake-compat";
      inputs.flake-utils.follows = "flake-utils";
    };
    pre-commit-hooks-nix = {
      url = "github:cachix/pre-commit-hooks.nix";
      inputs.nixpkgs.follows = "nixpkgs";
@ -141,7 +125,6 @@
    rust-overlay = {
      url = "github:oxalica/rust-overlay";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
    scss-reset = {
      url = "github:andreymatin/scss-reset";
@ -161,12 +144,23 @@
      checks = {formatting = treefmtEval.config.build.check inputs.self;};
      ### nix {run,shell,build}
-      packages = import ./pkgs pkgs;
+      legacyPackages = import ./pkgs pkgs;
      ### nix develop
      devShells.default = pkgs.mkShell {
        packages = with pkgs; [
          alejandra
          colmena
          git
          sops
        ];
      };
    })
    // (let
      mkNixOS = system: modules:
        inputs.nixpkgs.lib.nixosSystem {
-          inherit system modules;
+          inherit system;
          modules = [./nixos/profiles/core] ++ modules;
          specialArgs = {inherit inputs;};
        };
@ -203,7 +197,7 @@
      };
      nixOnDroidConfigurations = {
-        "socrates" = mkDroid [./hosts/socrates];
+        "enchilada" = mkDroid [./hosts/enchilada];
      };
      colmena = {
@ -214,6 +208,10 @@
          };
        };
        defaults.imports = [
          ./nixos/profiles/core
        ];
        "lightsail-tokyo" = {
          imports = [./hosts/lightsail-tokyo];
          deployment.targetHost = "tyo0.ny4.dev";
--- a/home/applications/alacritty/default.nix
+++ b/home/applications/alacritty/default.nix
@ -1,23 +0,0 @@
 {
  lib,
  pkgs,
  ...
 }: {
  programs.alacritty = {
    enable = true;
    settings = {
      import = [
        "${pkgs.vimPlugins.tokyonight-nvim}/extras/alacritty/tokyonight_night.toml"
      ];
      cursor.style = "beam";
      font.size = 10;
      # workaround for scaling in X11
      env.WINIT_X11_SCALE_FACTOR = "1";
      # for zellij on macOS
      window.option_as_alt = lib.mkIf pkgs.stdenv.hostPlatform.isDarwin "Both";
    };
  };
 }
--- a/home/applications/bat/default.nix
+++ b/home/applications/bat/default.nix
@ -1,7 +1,6 @@
 {
  programs.bat.enable = true;
  home.sessionVariables = {
    "PAGER" = "bat";
    "MANPAGER" = "sh -c 'col -bx | bat -l man -p'";
    "MANROFFOPT" = "-c";
  };
--- a/home/applications/common/wayland.nix
+++ b/home/applications/common/wayland.nix
@ -1,9 +0,0 @@
 {pkgs, ...}: {
  home.sessionVariables = {
    NIXOS_OZONE_WL = "1"; # let electron applications use wayland
  };
  home.packages = with pkgs; [
    wl-clipboard
  ];
 }
--- a/home/applications/common/wm.nix
+++ b/home/applications/common/wm.nix
@ -1,8 +0,0 @@
 {pkgs, ...}: {
  home.packages = with pkgs; [pwvucontrol];
  # remove csd window buttons
  # https://github.com/localsend/localsend/blob/2457acd8a7412723b174672d174e4853dccd7d99/app/linux/my_application.cc#L45
  home.sessionVariables.GTK_CSD = 0;
  dconf.settings."org/gnome/desktop/wm/preferences"."button-layout" = "icon,appmenu:";
 }
--- a/home/applications/fcitx5/default.nix
+++ b/home/applications/fcitx5/default.nix
@ -1,23 +1,15 @@
-{
+{pkgs, ...}: {
  pkgs,
  inputs,
  ...
 }: {
  i18n.inputMethod = {
    enabled = "fcitx5";
-    fcitx5.addons =
+    fcitx5.addons = with pkgs; [
-      (with pkgs; [
+      qt6Packages.fcitx5-chinese-addons
-        libsForQt5.fcitx5-chinese-addons
+      fcitx5-pinyin-minecraft
        fcitx5-tokyonight
      ])
      ++ (with inputs.berberman.packages.${pkgs.stdenv.hostPlatform.system}; [
      fcitx5-pinyin-moegirl
      fcitx5-pinyin-zhwiki
-      ]);
+    ];
  };
  xdg.configFile."fcitx5/conf/classicui.conf".text = ''
    Theme=Tokyonight-Storm
    Vertical Candidate List=True
    PreferTextIcon=True
  '';
--- a/home/applications/firefox/default.nix
+++ b/home/applications/firefox/default.nix
@ -1,19 +1,16 @@
 {pkgs, ...}: {
  programs.firefox = {
    enable = true;
-    profiles."default" = {
+    package = pkgs.firefox.override {
-      extraConfig = ''
+      extraPrefsFiles = [
-        ${builtins.readFile (pkgs.fetchurl {
+        "${pkgs.arkenfox-userjs}/user.cfg"
-          # FIXME: IFD
+        (pkgs.runCommandLocal "userjs" {} ''
-          url = "https://raw.githubusercontent.com/arkenfox/user.js/126.1/user.js";
+          install -Dm644 ${./user-overrides.js} $out
-          hash = "sha256-XRtG0iLKh8uqbeX7Rc2H6VJwZYJoNZPBlAfZEfrSCP4=";
+          substituteInPlace $out \
-        })}
+            --replace-fail "user_pref" "defaultPref"
-        ${builtins.readFile ./user-overrides.js}
+        '')
-      '';
+      ];
    };
-  };
+    profiles."default" = {};
  home.sessionVariables = {
    MOZ_USE_XINPUT2 = "1";
  };
 }
--- a/home/applications/fish/default.nix
+++ b/home/applications/fish/default.nix
@ -3,7 +3,6 @@
    enable = true;
    interactiveShellInit = ''
      set fish_greeting
      source ${pkgs.vimPlugins.tokyonight-nvim}/extras/fish/tokyonight_night.fish
    '';
    plugins = [
      {
@ -14,36 +13,10 @@
        name = "done";
        inherit (pkgs.fishPlugins.done) src;
      }
      #{
      #  name = "tide";
      #  src = pkgs.fishPlugins.tide.src;
      #}
      {
        name = "sponge";
        inherit (pkgs.fishPlugins.sponge) src;
      }
      {
        name = "puffer";
        inherit (pkgs.fishPlugins.puffer) src;
      }
      {
        name = "sudope";
        src = pkgs.fetchFromGitHub {
          owner = "oh-my-fish";
          repo = "plugin-sudope";
          rev = "83919a692bc1194aa322f3627c859fecace5f496";
          hash = "sha256-pD4rNuqg6TG22L9m8425CO2iqcYm8JaAEXIVa0H/v/U=";
        };
      }
      {
        name = "fish-abbreviation-tips";
        src = pkgs.fetchFromGitHub {
          owner = "gazorby";
          repo = "fish-abbreviation-tips";
          rev = "8ed76a62bb044ba4ad8e3e6832640178880df485";
          hash = "sha256-F1t81VliD+v6WEWqj1c1ehFBXzqLyumx5vV46s/FZRU=";
        };
      }
    ];
  };
 }
--- a/home/applications/foot/default.nix
+++ b/home/applications/foot/default.nix
@ -0,0 +1,10 @@
 {
  programs.foot = {
    enable = true;
    settings = {
      main.font = "monospace:size=10";
      main.resize-by-cells = false;
      cursor.style = "beam";
    };
  };
 }
--- a/home/applications/git/default.nix
+++ b/home/applications/git/default.nix
@ -8,7 +8,10 @@
    signing.signByDefault = true;
    signing.key = "91F97D9ED12639CF";
-    extraConfig.pull.rebase = true;
+    extraConfig = {
      pull.rebase = true;
      push.autoSetupRemote = true;
    };
  };
  programs.gh.enable = true;
--- a/home/applications/kanshi/default.nix
+++ b/home/applications/kanshi/default.nix
@ -0,0 +1,30 @@
 {
  services.kanshi = {
    enable = true;
    settings = [
      {
        profile.name = "internal";
        profile.outputs = [
          {
            criteria = "eDP-1";
            status = "enable";
          }
        ];
      }
      {
        profile.name = "external";
        profile.outputs = [
          {
            criteria = "eDP-1";
            status = "disable";
          }
          {
            criteria = "ASUSTek COMPUTER INC VG27AQML1A S5LMQS059959";
            mode = "2560x1440@240.001007";
            status = "enable";
          }
        ];
      }
    ];
  };
 }
--- a/home/applications/mpv/default.nix
+++ b/home/applications/mpv/default.nix
@ -17,18 +17,68 @@
      slang = "eng,en";
    };
    # FIXME: https://github.com/nix-community/home-manager/pull/5524
    package = pkgs.mpv-unwrapped.wrapper {
      mpv = pkgs.mpv-unwrapped;
    scripts =
      (with pkgs.mpvScripts; [
          thumbfast
          sponsorblock
        modernx-zydezu
        thumbfast
      ])
-        ++ lib.optionals pkgs.stdenv.hostPlatform.isLinux (with pkgs.mpvScripts; [
+      ++ lib.optional pkgs.stdenv.hostPlatform.isLinux pkgs.mpvScripts.mpris;
-          mpris
+
-        ]);
+    bindings = let
      inherit (pkgs) anime4k;
      setShader = message: files: ''no-osd change-list glsl-shaders set "${lib.concatStringsSep ":" files}"; show-text "${message}"'';
    in {
      "CTRL+1" = setShader "Anime4K: Mode A (Fast)" [
        "${anime4k}/Anime4K_Clamp_Highlights.glsl"
        "${anime4k}/Anime4K_Restore_CNN_M.glsl"
        "${anime4k}/Anime4K_Upscale_CNN_x2_M.glsl"
        "${anime4k}/Anime4K_AutoDownscalePre_x2.glsl"
        "${anime4k}/Anime4K_AutoDownscalePre_x4.glsl"
        "${anime4k}/Anime4K_Upscale_CNN_x2_S.glsl"
      ];
      "CTRL+2" = setShader "Anime4K: Mode B (Fast)" [
        "${anime4k}/Anime4K_Clamp_Highlights.glsl"
        "${anime4k}/Anime4K_Restore_CNN_Soft_M.glsl"
        "${anime4k}/Anime4K_Upscale_CNN_x2_M.glsl"
        "${anime4k}/Anime4K_AutoDownscalePre_x2.glsl"
        "${anime4k}/Anime4K_AutoDownscalePre_x4.glsl"
        "${anime4k}/Anime4K_Upscale_CNN_x2_S.glsl"
      ];
      "CTRL+3" = setShader "Anime4K: Mode C (Fast)" [
        "${anime4k}/Anime4K_Clamp_Highlights.glsl"
        "${anime4k}/Anime4K_Upscale_Denoise_CNN_x2_M.glsl"
        "${anime4k}/Anime4K_AutoDownscalePre_x2.glsl"
        "${anime4k}/Anime4K_AutoDownscalePre_x4.glsl"
        "${anime4k}/Anime4K_Upscale_CNN_x2_S.glsl"
      ];
      "CTRL+4" = setShader "Anime4K: Mode A+A (Fast)" [
        "${anime4k}/Anime4K_Clamp_Highlights.glsl"
        "${anime4k}/Anime4K_Restore_CNN_M.glsl"
        "${anime4k}/Anime4K_Upscale_CNN_x2_M.glsl"
        "${anime4k}/Anime4K_Restore_CNN_S.glsl"
        "${anime4k}/Anime4K_AutoDownscalePre_x2.glsl"
        "${anime4k}/Anime4K_AutoDownscalePre_x4.glsl"
        "${anime4k}/Anime4K_Upscale_CNN_x2_S.glsl"
      ];
      "CTRL+5" = setShader "Anime4K: Mode B+B (Fast)" [
        "${anime4k}/Anime4K_Clamp_Highlights.glsl"
        "${anime4k}/Anime4K_Restore_CNN_Soft_M.glsl"
        "${anime4k}/Anime4K_Upscale_CNN_x2_M.glsl"
        "${anime4k}/Anime4K_AutoDownscalePre_x2.glsl"
        "${anime4k}/Anime4K_AutoDownscalePre_x4.glsl"
        "${anime4k}/Anime4K_Restore_CNN_Soft_S.glsl"
        "${anime4k}/Anime4K_Upscale_CNN_x2_S.glsl"
      ];
      "CTRL+6" = setShader "Anime4K: Mode C+A (Fast)" [
        "${anime4k}/Anime4K_Clamp_Highlights.glsl"
        "${anime4k}/Anime4K_Upscale_Denoise_CNN_x2_M.glsl"
        "${anime4k}/Anime4K_AutoDownscalePre_x2.glsl"
        "${anime4k}/Anime4K_AutoDownscalePre_x4.glsl"
        "${anime4k}/Anime4K_Restore_CNN_S.glsl"
        "${anime4k}/Anime4K_Upscale_CNN_x2_S.glsl"
      ];
      "CTRL+0" = ''no-osd change-list glsl-shaders clr ""; show-text "GLSL shaders cleared"'';
    };
  };
 }
--- a/home/applications/nautilus/default.nix
+++ b/home/applications/nautilus/default.nix
@ -1,5 +1,5 @@
 {pkgs, ...}: {
-  home.packages = [pkgs.gnome.nautilus];
+  home.packages = [pkgs.nautilus];
  dconf.settings = {
    "org/gnome/nautilus/list-view".default-zoom-level = "small";
    "org/gnome/nautilus/preferences".default-folder-viewer = "list-view";
--- a/home/applications/neovim/default.nix
+++ b/home/applications/neovim/default.nix
@ -8,17 +8,7 @@
      viAlias = true;
      vimAlias = true;
    })
    #pkgs.lunarvim
  ];
  home.sessionVariables."EDITOR" = "nvim";
  # TODO: still couldn't make it work
  #programs.neovim = {
  #  enable = true;
  #  viAlias = true;
  #  vimAlias = true;
  #
  #  package = inputs.neovim.packages.${pkgs.stdenv.hostPlatform.system}.default;
  #};
 }
--- a/home/applications/nix/default.nix
+++ b/home/applications/nix/default.nix
@ -1,26 +1,27 @@
 {pkgs, ...}: {
  home.packages = with pkgs; [
    # lsp
    nil
    alejandra
    statix
    deadnix
    nil
    statix
    # nixpkgs PRs
    nixfmt-rfc-style
    nix-update
    nix-init
    nix-update
    nixfmt-rfc-style
    nixpkgs-review
    # misc
    nh
    nix-output-monitor
    nix-index
    comma
    sops
    colmena
    comma
    nh
    nix-index
    nix-output-monitor
    nix-tree
    sops
  ];
-  # for `nh`
+  # nh
-  # yes, i know, weird and long path
+  home.sessionVariables.FLAKE = "/home/guanranwang/Documents/Projects/flake";
  home.sessionVariables.FLAKE = "/home/guanranwang/Documents/Projects/git-repos/github.com/Guanran928/flake";
 }
--- a/home/applications/rofi/default.nix
+++ b/home/applications/rofi/default.nix
@ -1,20 +0,0 @@
 {
  pkgs,
  lib,
  ...
 }: {
  programs.rofi = {
    enable = true;
    package = pkgs.rofi-wayland;
    font = "monospace";
    terminal = lib.getExe pkgs.alacritty;
  };
  home.packages = with pkgs; [rofi-power-menu];
  # Yes, because I have no idea how to use programs.rofi.theme
  xdg.configFile."rofi" = {
    source = ./rofi;
    recursive = true;
  };
 }
--- a/home/applications/rofi/rofi/colors.rasi
+++ b/home/applications/rofi/rofi/colors.rasi
@ -1,4 +0,0 @@
 * {
  bg: #16161e;
  fg: #6a6f87;
 }
--- a/home/applications/rofi/rofi/config.rasi
+++ b/home/applications/rofi/rofi/config.rasi
@ -1,130 +0,0 @@
 /*
 * Rofi config file
 * ~/.config/rofi/config.rasi
 *
 * Modified from https://github.com/Sinomor/dots/tree/main/.config/bspwm/rofi
 * Really clean and cozy dotfiles btw, liked it :D
 */
 configuration {
  display-drun: ">";
  display-clipboard: ">";
  drun-display-format: "{name}";
  modi: "drun";
 }
@import "~/.config/rofi/colors.rasi"
 * {
  font: "JetBrains Mono SemiBold 14";
  separatorcolor: transparent;
  border: 0;
  margin: 0;
  padding: 0;
  spacing: 0;
 }
 window {
  width: 420px;
  border-radius: 0;
  border: 0;
  padding: 0;
  background-color: @bg;
 }
 mainbox {
  background-color: transparent;
  children: [inputbar,listview];
  padding: 10;
 }
 listview {
  scrollbar: false;
  padding: 2 0;
  background-color: transparent;
  columns: 1;
  lines: 6;
  margin: 8 0 0 0;
 }
 inputbar {
  children: [prompt, entry];
  background-color: transparent;
  border-radius: 0;
 }
 prompt {
  background-color: transparent;
  text-color: @fg;
  enabled: true;
  border-radius: 0;
  padding: 4 10 0 10;
 }
 entry {
  background-color: transparent;
  text-color: @fg;
  placeholder-color: @fg;
  border-radius: 0;
  placeholder: "Search...";
  blink: false;
  padding: 4;
 }
 element {
  background-color: transparent;
  padding: 10;
  border-radius: 0;
 }
 element-text {
  background-color: inherit;
  text-color: inherit;
  expand: true;
  horizontal-align: 0;
  vertical-align: 0.5;
 }
 element-icon {
  background-color: inherit;
  text-color: inherit;
  padding: 0 10 0 0;
 }
 element.normal.normal {
  background-color: transparent;
  text-color: @fg;
 }
 element.normal.urgent {
  background-color: transparent;
  text-color: @fg;
 }
 element.normal.active {
  background-color: transparent;
  text-color: @bg;
 }
 element.selected.normal {
  background-color: @fg;
  text-color: @bg;
 }
 element.selected.urgent {
  background-color: @fg;
  text-color: @bg;
 }
 element.selected.active {
  background-color: @fg;
  text-color:	@bg;
 }
 element.alternate.normal {
  background-color: transparent;
  text-color: @fg;
 }
 element.alternate.urgent {
  background-color: transparent;
  text-color: @fg;
 }
 element.alternate.active {
  background-color: transparent;
  text-color: @fg;
 }
--- a/home/applications/skim/default.nix
+++ b/home/applications/skim/default.nix
@ -1,9 +0,0 @@
 {
  programs.skim = {
    enable = true;
    # SPEED: fd > rg > find
    # STARTUP TIME: find > rg > fd
    defaultCommand = "fd --color never || rg --files --color never || find";
  };
 }
--- a/home/applications/starship/default.nix
+++ b/home/applications/starship/default.nix
@ -1,11 +1,9 @@
-{
+{pkgs, ...}: {
  pkgs,
  lib,
  ...
 }: {
  programs.starship = {
    enable = true;
-    # FIXME: IFD
+  };
-    settings = lib.importTOML "${pkgs.starship}/share/starship/presets/nerd-font-symbols.toml";
+
  home.sessionVariables = {
    "STARSHIP_CONFIG" = "${pkgs.starship}/share/starship/presets/nerd-font-symbols.toml";
  };
 }
--- a/home/applications/sway/background.png
+++ b/home/applications/sway/background.png
--- a/home/applications/sway/default.nix
+++ b/home/applications/sway/default.nix
@ -2,15 +2,28 @@
  config,
  pkgs,
  lib,
  inputs,
  ...
-}: {
+}: let
  # https://www.pixiv.net/en/artworks/49983419
  image = pkgs.fetchurl {
    url = "https://i.pximg.net/img-original/img/2015/04/23/12/43/35/49983419_p0.jpg";
    hash = "sha256-JZ5VmsjVjZfHXpx3JxzAyYzZppZmgH38AiAA+B0TDiw=";
    curlOptsList = ["-e" "https://www.pixiv.net/"];
  };
  # Crop 100px on top and bottom
  background = pkgs.runCommandLocal "49983419_p0.jpg" {} ''
    ${lib.getExe pkgs.imagemagick} convert ${image} -crop 3500x1600+0+100 $out
  '';
 in {
  imports = [
    ../i3status-rust
    ../kanshi
    ../mako
    ../rofi
    ../swayidle
    ../swaylock
    # FIXME: hack
    ./unset-im-module.nix
  ];
  home.sessionVariables = {
@ -25,17 +38,11 @@
  # remove csd window buttons
  # https://github.com/localsend/localsend/blob/2457acd8a7412723b174672d174e4853dccd7d99/app/linux/my_application.cc#L45
  home.sessionVariables.GTK_CSD = 0;
-  dconf.settings."org/gnome/desktop/wm/preferences"."button-layout" = "icon,appmenu:";
+  dconf.settings."org/gnome/desktop/wm/preferences"."button-layout" = "appmenu:";
  services.cliphist.enable = true;
  services.udiskie.enable = true;
  home.sessionVariables = {
    # NOTE: don't use "wayland" in GTK_IM_MODULE! it will crash X11 electron apps
    GTK_IM_MODULE = lib.mkForce ""; # use text-input-v3
    QT_IM_MODULE = lib.mkForce ""; # use text-input-v3
  };
  wayland.windowManager.sway = {
    enable = true;
    checkConfig = false; # wtf?
@ -49,8 +56,7 @@
      ];
      ### Visuals
-      # https://danbooru.donmai.us/posts/6018861
+      output."*".bg = "${background} fill";
      output."*".bg = "${./background.png} fill";
      bars = [
        {
          statusCommand = "${lib.getExe pkgs.i3status-rust} $HOME/.config/i3status-rust/config-default.toml";
@ -85,7 +91,6 @@
      modifier = "Mod4";
      keybindings = let
        inherit (config.wayland.windowManager.sway.config) modifier;
        screenshot = lib.getExe inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.scripts.screenshot;
      in
        {
          ### Sway itself
@ -109,19 +114,17 @@
          ### Execute other stuff
          # Launch applications
-          "${modifier}+Return" = "exec alacritty";
+          "${modifier}+Return" = "exec ${lib.getExe pkgs.foot}";
          "${modifier}+w" = "exec ${pkgs.xdg-utils}/bin/xdg-open http:";
          "${modifier}+e" = "exec ${pkgs.xdg-utils}/bin/xdg-open ~";
-          # Rofi
+          # Launcher
-          "${modifier}+d" = "exec rofi -show drun -show-icons -icon-theme ${config.gtk.iconTheme.name}";
+          "${modifier}+d" = "exec ${lib.getExe' pkgs.wmenu "wmenu-run"}";
-          "${modifier}+Shift+d" = "exec ${lib.getExe pkgs.cliphist} list | rofi -dmenu | ${lib.getExe pkgs.cliphist} decode | ${pkgs.wl-clipboard}/bin/wl-copy";
+          "${modifier}+Shift+d" = "exec ${lib.getExe pkgs.cliphist} list | ${lib.getExe pkgs.wmenu} -l 10 | ${lib.getExe pkgs.cliphist} decode | ${lib.getExe' pkgs.wl-clipboard "wl-copy"}";
-          "${modifier}+Shift+Semicolon" = ''exec rofi -modi "power-menu:rofi-power-menu --confirm=reboot/shutdown" -show power-menu'';
+          "${modifier}+Shift+Semicolon" = "exec loginctl lock-session";
          # Screenshot
-          "${modifier}+Shift+s" = "exec ${screenshot} region";
+          "Print" = "exec env XDG_SCREENSHOTS_DIR=$HOME/Pictures/Screenshots ${lib.getExe pkgs.sway-contrib.grimshot} --notify savecopy anything";
          "Print" = "exec ${screenshot} fullscreen";
          "Print+Control" = "exec ${screenshot} swappy";
          # Fn keys
          "XF86MonBrightnessUp" = "exec ${lib.getExe pkgs.brightnessctl} set 5%+";
--- a/home/applications/sway/unset-im-module.nix
+++ b/home/applications/sway/unset-im-module.nix
@ -0,0 +1,5 @@
 {lib, ...}: {
  options.home.sessionVariables = lib.mkOption {
    apply = x: removeAttrs x ["QT_IM_MODULE" "GTK_IM_MODULE"];
  };
 }
--- a/home/applications/thunderbird/default.nix
+++ b/home/applications/thunderbird/default.nix
@ -1,13 +1,12 @@
-{pkgs, ...}: {
+{
  programs.thunderbird = {
    enable = true;
    profiles.default = {
      isDefault = true;
      extraConfig = ''
-        ${builtins.readFile (pkgs.fetchurl {
+        ${builtins.readFile (builtins.fetchurl {
          # FIXME: IFD
          url = "https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/d6b18302e46349d9924c8a76951bae6efca51501/user.js";
-          hash = "sha256-66B1yLQkQnydAUXD7KGt32OhWSYcdWX+BUozrgW9uAg=";
+          sha256 = "sha256-66B1yLQkQnydAUXD7KGt32OhWSYcdWX+BUozrgW9uAg=";
        })}
        ${builtins.readFile ./user-overrides.js}
      '';
--- a/home/applications/tmux/default.nix
+++ b/home/applications/tmux/default.nix
@ -0,0 +1,21 @@
 {
  programs.tmux = {
    enable = true;
    # value from tmux-sensible, but got overridden by HM (?)
    aggressiveResize = true;
    escapeTime = 0;
    historyLimit = 50000;
    baseIndex = 1;
    customPaneNavigationAndResize = true;
    keyMode = "vi";
    mouse = true;
    newSession = true;
    terminal = "tmux-256color";
    extraConfig = ''
      set -g set-clipboard on
      set -g renumber-windows on
    '';
  };
 }
--- a/home/applications/zellij/default.nix
+++ b/home/applications/zellij/default.nix
@ -1,38 +0,0 @@
 {lib, ...}: {
  programs.zellij = {
    enable = true;
    enableFishIntegration = true;
  };
  # Unsure about the syntax for defining keybindings in Nix (refer to line 16)
  xdg.configFile."zellij/config.kdl".text = lib.mkForce ''
    // TODO: Text selection is not displayed due to the use of the same color as
    //       my terminal background.
    theme "tokyo-night-dark"
    simplified_ui true
    pane_frames false
    default_layout "compact"
    on_force_close "quit"
    mirror_session false
    // WORKAROUND: This feature slows down startup speed, and I don't need it anyway.
    // See: https://github.com/zellij-org/zellij/issues/1757#issuecomment-1962981641
    session_serialization false
    keybinds {
      normal {
        bind "Alt 1" { GoToTab 1; }
        bind "Alt 2" { GoToTab 2; }
        bind "Alt 3" { GoToTab 3; }
        bind "Alt 4" { GoToTab 4; }
        bind "Alt 5" { GoToTab 5; }
        bind "Alt 6" { GoToTab 6; }
        bind "Alt 7" { GoToTab 7; }
        bind "Alt 8" { GoToTab 8; }
        bind "Alt 9" { GoToTab 9; }
        bind "Alt 0" { GoToTab 10; }
      }
    }
  '';
 }
--- a/home/default.nix
+++ b/home/default.nix
@ -38,17 +38,18 @@
    ./applications/bash
    ./applications/bat
    ./applications/eza
    ./applications/neovim
    ./applications/fish
    ./applications/git
    ./applications/gpg
-    ./applications/skim
+    ./applications/neovim
    ./applications/starship
    ./applications/tealdeer
-    ./applications/zellij
+    ./applications/tmux
  ];
  programs.jq.enable = true;
  programs.ripgrep.enable = true;
  programs.skim.enable = true;
  programs.zoxide.enable = true;
  home.packages =
    (with pkgs; [
--- a/hosts/aristotle/README.md
+++ b/hosts/aristotle/README.md
@ -1,13 +0,0 @@
 ### About this device
 ### Hardware
 ```
 $ hostnamectl --json short | jq -r '.HardwareVendor, .HardwareModel'
 Lenovo
 Lenovo Legion Y7000
 ```
 ### Description
 My first computer & my main device (as of Feb. 2024).
--- a/hosts/aristotle/anti-feature.nix
+++ b/hosts/aristotle/anti-feature.nix
@ -8,6 +8,7 @@
        "adoptopenjdk-hotspot-bin"
        "cargo-bootstrap"
        "cef-binary"
        "dart"
        "osu-lazer-bin"
        "rustc-bootstrap"
        "rustc-bootstrap-wrapper"
@ -18,11 +19,14 @@
    allowUnfree = false;
    allowUnfreePredicate = pkg:
      builtins.elem (lib.getName pkg) [
        "fcitx5-pinyin-minecraft"
        "fcitx5-pinyin-moegirl"
        "libXNVCtrl"
        "nvidia-x11"
        "osu-lazer-bin"
        "steam"
        "steam-original"
        "steam-run"
        "xow_dongle-firmware"
      ];
  };
--- a/hosts/aristotle/default.nix
+++ b/hosts/aristotle/default.nix
@ -1,59 +1,157 @@
-{
+{pkgs, ...}: {
  pkgs,
  inputs,
  ...
 }: {
  imports = [
-    # OS
+    ../../nixos/profiles/opt-in/mihomo
-    ../../nixos/profiles/laptop
+    ../../nixos/profiles/opt-in/wireless
    ../../nixos/profiles/common/opt-in/mihomo
    ../../nixos/profiles/common/opt-in/gaming
    # Hardware
    ./hardware-configuration.nix
    ./anti-feature.nix
-    ../../nixos/profiles/common/opt-in/lanzaboote.nix
+    ./disko.nix
-    ../../nixos/profiles/common/opt-in/impermanence.nix
+    ./hardware-configuration.nix
-    ../../nixos/profiles/common/opt-in/disko.nix
+    ./impermanence.nix
    ./lanzaboote.nix
  ];
  boot.loader.efi.canTouchEfiVariables = true;
  networking.hostName = "aristotle";
  time.timeZone = "Asia/Shanghai";
  _module.args.disks = ["/dev/nvme0n1"]; # Disko
  system.stateVersion = "23.11";
  home-manager.users.guanranwang = import ./home;
  services.tailscale = {
    enable = true;
    openFirewall = true;
  };
-  # Stuff that I only want on my main machine
+  environment.systemPackages = with pkgs; [
-  home-manager.users.guanranwang = {
+    yubikey-manager
-    imports = map (n: ../../home/applications/${n}) [
+    localsend
      "thunderbird"
      "ydict"
  ];
-    home.packages = with pkgs;
+  networking.firewall.allowedTCPPorts = [53317];
-      [
+  networking.firewall.allowedUDPPorts = [53317];
        amberol
        fractal
        gnome.gnome-calculator
        hyperfine
        mousai
      ]
      ++ (with inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.scripts; [
        lofi
      ]);
-    programs.obs-studio.enable = true;
+  programs.adb.enable = true;
  programs.anime-game-launcher.enable = true;
  programs.seahorse.enable = true;
  programs.steam.enable = true;
  programs.kdeconnect = {
    enable = true;
    package = pkgs.valent;
  };
-  # for udev rules
+  services.power-profiles-daemon.enable = true;
-  programs.adb.enable = true;
+  services.gvfs.enable = true;
  services.gnome = {
    gnome-keyring.enable = true;
    gnome-online-accounts.enable = true;
    sushi.enable = true;
  };
-  # fucking hell
+  # https://wiki.archlinux.org/title/Gamepad#Connect_Xbox_Wireless_Controller_with_Bluetooth
-  # FIXME: IFD
+  hardware.xone.enable = true; # via wired or wireless dongle
-  programs.anime-game-launcher.enable = true;
+  hardware.xpadneo.enable = true; # via Bluetooth
  # yubikey
  services.pcscd.enable = true;
  services.udev.packages = [pkgs.yubikey-personalization];
  fonts = {
    enableDefaultPackages = false;
    packages = with pkgs; [
      (nerdfonts.override {
        fonts = ["NerdFontsSymbolsOnly"];
      })
      (inter.overrideAttrs {
        installPhase = ''
          runHook preInstall
          install -Dm644 -t $out/share/fonts/truetype/ InterVariable*.ttf
          runHook postInstall
        '';
      })
      (jetbrains-mono.overrideAttrs {
        installPhase = ''
          runHook preInstall
          install -Dm644 -t $out/share/fonts/truetype/ fonts/variable/*.ttf
          runHook postInstall
        '';
      })
      (source-sans.overrideAttrs {
        installPhase = ''
          runHook preInstall
          install -Dm444 VF/*.otf -t $out/share/fonts/variable
          runHook postInstall
        '';
      })
      (source-serif.overrideAttrs {
        installPhase = ''
          runHook preInstall
          install -Dm444 VAR/*.otf -t $out/share/fonts/variable
          runHook postInstall
        '';
      })
      source-han-sans-vf-otf
      source-han-serif-vf-otf
      noto-fonts-color-emoji
    ];
    fontconfig.defaultFonts = {
      emoji = [
        "Noto Color Emoji"
      ];
      # Append emoji font for Qt apps, they might use the monochrome emoji
      monospace = [
        "JetBrains Mono"
        "Source Han Sans SC VF"
        "Symbols Nerd Font"
        "Noto Color Emoji"
      ];
      sansSerif = [
        "Inter Variable"
        "Source Han Sans SC VF"
        "Noto Color Emoji"
      ];
      serif = [
        "Source Serif 4 Variable"
        "Source Han Serif SC VF"
        "Noto Color Emoji"
      ];
    };
  };
  # polkit
  security.polkit.enable = true;
  # systemd.user.services.polkit-gnome-authentication-agent-1 = {
  #   description = "polkit-gnome-authentication-agent-1";
  #   wantedBy = ["graphical-session.target"];
  #   wants = ["graphical-session.target"];
  #   after = ["graphical-session.target"];
  #   serviceConfig = {
  #     Type = "simple";
  #     ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
  #     Restart = "on-failure";
  #     RestartSec = 1;
  #     TimeoutStopSec = 10;
  #   };
  # };
  # security.pam.services.swaylock = {};
  # xdg.portal = {
  #   enable = true;
  #   xdgOpenUsePortal = true;
  #   wlr.enable = true;
  #   extraPortals = [pkgs.xdg-desktop-portal-gtk];
  #   # https://gitlab.archlinux.org/archlinux/packaging/packages/sway/-/blob/main/sway-portals.conf
  #   config."sway" = {
  #     default = "gtk";
  #     "org.freedesktop.impl.portal.ScreenCast" = "wlr";
  #     "org.freedesktop.impl.portal.Screenshot" = "wlr";
  #     "org.freedesktop.impl.portal.Inhibit" = "none";
  #   };
  # };
  ### Removes debounce time
  # https://www.reddit.com/r/linux_gaming/comments/ku6gth
  environment.etc."libinput/local-overrides.quirks".text = ''
    [Never Debounce]
    MatchUdevType=mouse
    ModelBouncingKeys=1
  '';
 }
--- a/nixos/profiles/common/opt-in/disko.nix
+++ b/nixos/profiles/common/opt-in/disko.nix
@ -1,4 +1,5 @@
-{disks ? ["/dev/sda"], ...}: let
+let
  disks = ["/dev/nvme0n1"];
  # compress-force: https://t.me/archlinuxcn_group/3054167
  mountOptions = ["defaults" "compress-force=zstd" "noatime"];
  cryptSettings = {
--- a/hosts/aristotle/hardware-configuration.nix
+++ b/hosts/aristotle/hardware-configuration.nix
@ -2,17 +2,43 @@
  imports = [
    inputs.nixpkgs.nixosModules.notDetected
    inputs.nixos-hardware.nixosModules.lenovo-legion-y530-15ich
    inputs.nixos-sensible.nixosModules.zram
  ];
  hardware.nvidia.nvidiaSettings = false;
  services.hdapsd.enable = false;
-  my.hardware = {
+  services.thermald.enable = true;
-    audio.enable = true;
+
-    bluetooth.enable = true;
+  security.rtkit.enable = true;
-    tpm.enable = true;
+  hardware.pulseaudio.enable = false;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    jack.enable = true;
  };
  hardware.bluetooth = {
    enable = true;
    settings.General.FastConnectable = true;
  };
  # nouveou
  services.xserver.videoDrivers = [];
  # novideo
  # hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.beta;
  # hardware.nvidia.nvidiaSettings = false;
  # environment.sessionVariables."MOZ_ENABLE_WAYLAND" = "0";
  # networking.networkmanager.enable = false;
  # services.xserver.desktopManager.gnome.enable = true;
  # services.xserver.displayManager.gdm.enable = true;
  # # https://gitlab.gnome.org/GNOME/mutter/-/merge_requests/1562
  # services.udev.extraRules = ''
  #   ENV{DEVNAME}=="/dev/dri/card1", TAG+="mutter-device-preferred-primary"
  # '';
  boot.loader.timeout = 0;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid"];
  boot.kernelModules = ["kvm-intel"];
  nixpkgs.hostPlatform = "x86_64-linux";
--- a/hosts/aristotle/home/default.nix
+++ b/hosts/aristotle/home/default.nix
@ -0,0 +1,62 @@
 {
  pkgs,
  inputs,
  ...
 }: {
  imports =
    [
      ./theme.nix
      ./xdg-mime.nix
    ]
    ++ map (n: ../../../home/applications/${n}) [
      "fcitx5"
      "firefox"
      "foot"
      "go"
      "mpv"
      "nautilus"
      "nix"
      "sway"
      "thunderbird"
      "ydict"
    ];
  # https://wiki.archlinux.org/title/Fish#Start_X_at_login
  programs.fish.loginShellInit = ''
    if test -z "$DISPLAY" -a "$XDG_VTNR" = 1
      exec sway
    end
  '';
  home.packages =
    (with pkgs; [
      amberol
      dconf-editor
      file-roller
      fractal
      gnome-calculator
      hyperfine
      loupe
      mousai
      seahorse
      (prismlauncher.override {
        glfw = glfw-wayland-minecraft;
        gamemodeSupport = false;
      })
      mumble
      osu-lazer-bin
    ])
    ++ (with inputs.self.legacyPackages.${pkgs.stdenv.hostPlatform.system}.scripts; [
      lofi
    ]);
  home.sessionVariables = {
    # https://github.com/ppy/osu-framework/pull/6292
    "OSU_SDL3" = "1";
  };
  programs.mangohud.enable = true;
  programs.obs-studio.enable = true;
  services.ssh-agent.enable = true;
 }
--- a/nixos/profiles/common/graphical/home/theme.nix
+++ b/nixos/profiles/common/graphical/home/theme.nix
@ -6,9 +6,8 @@
 }: {
  home.pointerCursor = {
    name = "Adwaita";
-    package = pkgs.gnome.adwaita-icon-theme;
+    package = pkgs.adwaita-icon-theme;
    size = 24;
    x11.enable = true;
    gtk.enable = true;
  };
@ -17,12 +16,12 @@
    gtk2.configLocation = "${config.xdg.configHome}/gtk-2.0/gtkrc";
    gtk3.bookmarks = [
-      "file://${config.home.homeDirectory}/Documents/Projects/git-repos/github.com/Guanran928/flake"
+      "file://${config.home.homeDirectory}/Documents/Projects/flake"
    ];
    iconTheme = {
      name = "Adwaita";
-      package = pkgs.gnome.adwaita-icon-theme;
+      package = pkgs.adwaita-icon-theme;
    };
    theme = {
@ -31,7 +30,21 @@
    };
  };
-  dconf.settings."org/gnome/desktop/interface"."color-scheme" = "prefer-dark";
+  dconf.settings = {
    "org/gnome/desktop/interface" = {
      "color-scheme" = "prefer-dark";
    };
    # Make GTK listen to fontconfig
    "org/gnome/desktop/wm/preferences" = {
      "titlebar-font" = "Sans Bold 11";
    };
    "org/gnome/desktop/interface" = {
      "font-name" = "Sans 11";
      "document-font-name" = "Sans 11";
      "monospace-font-name" = "Monospace 10";
    };
  };
  # ??? this commit broke nautilus's spacing ???
  # https://github.com/nix-community/home-manager/commit/e9b9ecef4295a835ab073814f100498716b05a96
--- a/nixos/profiles/common/graphical/home/xdg-mime.nix
+++ b/nixos/profiles/common/graphical/home/xdg-mime.nix
--- a/nixos/profiles/common/opt-in/impermanence.nix
+++ b/nixos/profiles/common/opt-in/impermanence.nix
--- a/nixos/profiles/common/opt-in/lanzaboote.nix
+++ b/nixos/profiles/common/opt-in/lanzaboote.nix
@ -1,6 +1,5 @@
 {pkgs, ...}: {
-  environment.systemPackages = with pkgs; [sbctl];
+  environment.systemPackages = [pkgs.sbctl];
  boot.loader.systemd-boot.enable = false;
  boot.lanzaboote = {
    enable = true;
    pkiBundle = "/etc/secureboot";
--- a/hosts/blacksteel/Caddyfile
+++ b/hosts/blacksteel/Caddyfile
@ -0,0 +1,51 @@
 (default) {
 	encode zstd gzip
 	handle_path /robots.txt {
 		file_server * {
 			root /var/www/robots/robots.txt
 		}
 	}
 }
 http://mastodon.ny4.dev:80 {
 	import default
 	handle_path /system/* {
 		file_server * {
 			root /var/lib/mastodon/public-system
 		}
 	}
 	handle /api/v1/streaming/* {
 		reverse_proxy unix//run/mastodon-streaming/streaming-1.socket {
 			header_up X-Forwarded-Proto "https"
 		}
 	}
 	route * {
 		file_server * {
 			root @mastodon@/public
 			pass_thru
 		}
 		reverse_proxy * unix//run/mastodon-web/web.socket {
 			header_up X-Forwarded-Proto "https"
 		}
 	}
 	handle_errors {
 		root * @mastodon@/public
 		rewrite 500.html
 		file_server
 	}
 }
 http://matrix.ny4.dev:80 {
 	import default
 	reverse_proxy /_matrix/* unix//run/matrix-synapse/synapse.sock
 	reverse_proxy /_synapse/client/* unix//run/matrix-synapse/synapse.sock
 	reverse_proxy /health unix//run/matrix-synapse/synapse.sock
 }
 http://syncv3.ny4.dev:80 {
 	import default
 	reverse_proxy unix//run/matrix-sliding-sync/sync.sock
 }
--- a/hosts/blacksteel/README.md
+++ b/hosts/blacksteel/README.md
@ -1,23 +0,0 @@
 # About this device
 ### Hardware
 ```
 $ hostnamectl --json short | jq -r '.HardwareVendor, .HardwareModel'
 Apple Inc.
 MacBookPro11,3
 ```
 ### Description
 Homelab, hosting random stuff through tailscale and rathole.
 ### TODOs:
 - [ ] backlight is always 33% when booted up
 - [ ] encrypted swap
 - [ ] impermanence
 - [ ] luks1 -> luks2
  - [ ] tpm luks unlocking
 - [ ] nouveau -> nvidia
 - [x] networkmanager -> iwd
--- a/hosts/blacksteel/anti-feature.nix
+++ b/hosts/blacksteel/anti-feature.nix
@ -8,13 +8,11 @@
      builtins.elem (lib.getName pkg) [
        "adoptopenjdk-hotspot-bin"
        "cargo-bootstrap"
        "cef-binary"
        "minecraft-server"
        "rustc-bootstrap"
        "rustc-bootstrap-wrapper"
        "sof-firmware"
        "temurin-bin"
        "vscodium"
      ];
    allowUnfree = false;
@ -22,7 +20,6 @@
      builtins.elem (lib.getName pkg) [
        "broadcom-sta"
        "minecraft-server"
        "nvidia-x11"
      ];
  };
 }
--- a/hosts/blacksteel/default.nix
+++ b/hosts/blacksteel/default.nix
@ -2,16 +2,12 @@
  pkgs,
  lib,
  config,
  inputs,
  ...
 }: {
  imports = [
    # OS
-    # FIXME:
+    ../../nixos/profiles/opt-in/mihomo
-    ../../nixos/profiles/common/core
+    ../../nixos/profiles/opt-in/wireless
    ../../nixos/profiles/common/physical
    ../../nixos/profiles/common/mobile
    ../../nixos/profiles/common/opt-in/mihomo
    # Hardware
    ./hardware-configuration.nix
@ -43,6 +39,10 @@
      "mastodon/environment" = {
        restartUnits = ["mastodon-web.service"];
      };
      "cloudflared/secret" = {
        restartUnits = ["cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41.service"];
        owner = config.systemd.services."cloudflared-tunnel-6222a3e0-98da-4325-be19-0f86a7318a41".serviceConfig.User;
      };
    };
  };
@ -54,67 +54,41 @@
    openFirewall = true;
  };
-  services.frp = {
+  services.cloudflared = {
    enable = true;
-    role = "client";
+    tunnels = {
-    settings = {
+      "6222a3e0-98da-4325-be19-0f86a7318a41" = {
-      serverAddr = "18.177.132.61"; # TODO: can I use a domain name?
+        credentialsFile = config.sops.secrets."cloudflared/secret".path;
-      serverPort = 7000;
+        default = "http_status:404";
-      auth.method = "token";
+        ingress = {
-      auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE"; # FIXME: secret!
+          # TODO: is this safe?
-      proxies = [
+          # browser <-> cloudflare cdn <-> cloudflared <-> caddy <-> mastodon
-        {
+          #                                             ^ no tls in this part?
-          name = "synapse";
+          "mastodon.ny4.dev" = "http://localhost:80";
-          type = "tcp";
+          "matrix.ny4.dev" = "http://localhost:80";
-          localIP = "127.0.0.1";
+          "syncv3.ny4.dev" = "http://localhost:80";
          localPort = 8100;
          remotePort = 8600;
        }
        {
          name = "syncv3";
          type = "tcp";
          localIP = "127.0.0.1";
          remotePort = 8700;
          plugin = {
            type = "unix_domain_socket";
            unixPath = "/run/matrix-sliding-sync/sync.sock";
        };
        }
        {
          name = "mastodon-web";
          type = "tcp";
          localIP = "127.0.0.1";
          remotePort = 8900;
          plugin = {
            type = "unix_domain_socket";
            unixPath = "/run/mastodon-web/web.socket";
      };
        }
        {
          name = "mastodon-streaming";
          type = "tcp";
          localIP = "127.0.0.1";
          remotePort = 9000;
          plugin = {
            type = "unix_domain_socket";
            unixPath = "/run/mastodon-streaming/streaming-1.socket";
          };
        }
        {
          name = "mastodon-system";
          type = "tcp";
          localIP = "127.0.0.1";
          remotePort = 9100;
          plugin = {
            type = "static_file";
            localPath = "/var/lib/mastodon/public-system";
          };
        }
      ];
    };
  };
-  systemd.services.frp.serviceConfig.SupplementaryGroups = ["mastodon"];
+  services.caddy = {
    enable = true;
    configFile = pkgs.substituteAll {
      src = ./Caddyfile;
      inherit (pkgs) mastodon;
    };
  };
  systemd.services.caddy.serviceConfig = {
    SupplementaryGroups = ["mastodon" "matrix-synapse"];
  };
  systemd.tmpfiles.settings = {
    "10-www" = {
      "/var/www/robots/robots.txt".C.argument = toString ../lightsail-tokyo/robots.txt;
    };
  };
  services.postgresql = {
    enable = true;
@ -168,12 +142,7 @@
    eula = true;
    openFirewall = true;
-    package = pkgs.callPackage "${inputs.nixpkgs}/pkgs/games/minecraft-servers/derivation.nix" {
+    package = pkgs.minecraftServers.vanilla-1-21;
      version = "1.21";
      sha1 = "450698d1863ab5180c25d7c804ef0fe6369dd1ba";
      url = "https://piston-data.mojang.com/v1/objects/450698d1863ab5180c25d7c804ef0fe6369dd1ba/server.jar";
      jre_headless = pkgs.javaPackages.compiler.openjdk21.headless;
    };
    # Aikar's flag
    # https://aikar.co/2018/07/02/tuning-the-jvm-g1gc-garbage-collector-flags-for-minecraft/
@ -221,10 +190,16 @@
  services.samba = {
    enable = true;
    openFirewall = true;
-    shares."share" = {
+    shares = {
      "share" = {
        path = "/srv/samba/share";
        "read only" = "no";
      };
      "external" = {
        path = "/mnt";
        "read only" = "no";
      };
    };
  };
  services.samba-wsdd = {
@ -239,6 +214,7 @@
  services.matrix-synapse = {
    enable = true;
    withJemalloc = true;
    enableRegistrationScript = false;
    extraConfigFiles = [config.sops.secrets."synapse/secret".path];
    settings = {
      server_name = "ny4.dev";
@ -246,11 +222,8 @@
      presence.enabled = false; # tradeoff
      listeners = [
        {
-          port = 8100;
+          path = "/run/matrix-synapse/synapse.sock";
          bind_addresses = ["127.0.0.1"];
          type = "http";
          tls = false;
          x_forwarded = true;
          resources = [
            {
              names = ["client" "federation"];
@ -265,7 +238,7 @@
        {
          idp_id = "keycloak";
          idp_name = "id.ny4.dev";
-          issuer = "https://id.ny4.dev/realms/master";
+          issuer = "https://id.ny4.dev/realms/ny4";
          client_id = "synapse";
          client_secret_path = config.sops.secrets."synapse/oidc".path;
          scopes = ["openid" "profile"];
@ -280,18 +253,24 @@
    };
  };
-  systemd.services.matrix-synapse.environment = config.networking.proxy.envVars;
+  systemd.services.matrix-synapse = {
    environment = config.networking.proxy.envVars;
    serviceConfig.RuntimeDirectory = ["matrix-synapse"];
  };
  services.matrix-sliding-sync = {
    enable = true;
    environmentFile = config.sops.secrets."syncv3/environment".path;
    settings = {
-      SYNCV3_SERVER = "http://127.0.0.1:8100";
+      SYNCV3_SERVER = "/run/matrix-synapse/synapse.sock";
      SYNCV3_BINDADDR = "/run/matrix-sliding-sync/sync.sock";
    };
  };
-  systemd.services.matrix-sliding-sync.serviceConfig.RuntimeDirectory = ["matrix-sliding-sync"];
+  systemd.services.matrix-sliding-sync.serviceConfig = {
    RuntimeDirectory = ["matrix-sliding-sync"];
    SupplementaryGroups = ["matrix-synapse"];
  };
  services.mastodon = {
    enable = true;
@ -314,7 +293,7 @@
      # OIDC_CLIENT_SECRET # EnvironmentFile
      OIDC_DISCOVERY = "true";
      OIDC_DISPLAY_NAME = "id.ny4.dev";
-      OIDC_ISSUER = "https://id.ny4.dev/realms/master";
+      OIDC_ISSUER = "https://id.ny4.dev/realms/ny4";
      OIDC_REDIRECT_URI = "https://${WEB_DOMAIN}/auth/auth/openid_connect/callback";
      OIDC_SCOPE = "openid,profile,email";
      OIDC_SECURITY_ASSUME_EMAIL_IS_VERIFIED = "true";
--- a/hosts/blacksteel/hardware-configuration.nix
+++ b/hosts/blacksteel/hardware-configuration.nix
@ -11,14 +11,9 @@
    inputs.nixos-hardware.nixosModules.common-hidpi
    inputs.nixos-hardware.nixosModules.common-pc-laptop
    inputs.nixos-hardware.nixosModules.common-pc-laptop-ssd
    inputs.nixos-sensible.nixosModules.zram
  ];
-  my.hardware = {
+  services.thermald.enable = true;
    audio.enable = true;
    bluetooth.enable = true;
    tpm.enable = true;
  };
  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
  boot.kernelModules = ["kvm-intel" "wl"];
--- a/hosts/blacksteel/secrets.yaml
+++ b/hosts/blacksteel/secrets.yaml
@ -1,10 +1,12 @@
 synapse:
    secret: ENC[AES256_GCM,data:H7bHbreE4NmpqXHpkPQ5AkwGOAs97YcQhQZIr5zgK1mgHMTGSbMP57elWMyMAQ3+wCy7x9Jx0H2omrdQh39iG32XoVyyMMoVMQ0OCgFa4O77DHdgG+wrWl7VLWNY,iv:cFbMEqJQG482ShZlpoxRhk7z/y5216WucXfJbkMxuxU=,tag:7iUyMlu2yStLLdkC/V9/DQ==,type:str]
-    oidc: ENC[AES256_GCM,data:vGQcPcUfbv6II6buEMKELc1+xZ5XccpEeCy3vZx4fdk=,iv:ORok/FXZ9SA54zD1+OhyFnZAPhGpMpTetWYgge2QSwQ=,tag:7DxrruTbenUfI/V6hGYBaw==,type:str]
+    oidc: ENC[AES256_GCM,data:ihiMcrrYvPrNDJ13p6/FbINgh5wxv2vyOYxg0sthipM=,iv:+aESWZLI7/4HWjV7QT94py+zGLbTl+VoSsWdiGNHkjU=,tag:yxxZeDOtzFegCQGQT2HCgA==,type:str]
 syncv3:
    environment: ENC[AES256_GCM,data:xVBXP3+w38T700OYu6XL1R1I0NWzcKeORWk5GE2lkWS+kooplcQb/wbov40H+DB522cRzCRutMXmrvGVWO86kIH/jT5tq5iWrdxbSKjTxA==,iv:6rtSdSMYtGnZl8WMmqxaCxbDG7SXhKy0LCXJJkorTvU=,tag:3PE5R31oU3ClL7elK/ca0g==,type:str]
 mastodon:
-    environment: ENC[AES256_GCM,data:cEGz8ZEPUmtPXyJx5oB1xOUvya7lSCW4vQKCp6F6WpgakZdrarez0cOzM8VsfNe3lFe6VQ==,iv:17k4EWB4v/79ApfKw5e8FyqJ1zKEn9xxewkrsRbya9A=,tag:dJjVjhEQGjSrxD9FO2hYEw==,type:str]
+    environment: ENC[AES256_GCM,data:9RjpYXbGo8lBsXKg71Vbp2iTJlvXEGhn8hTl37o8G1E28JWF5Io7+evfqUv+N7QfSk1zbA==,iv:ejfe7f941QB7iiREXx1T9Vej43cW/S9nr03P5lkw9Yg=,tag:odI7xsxoPGBrxd0GnCsnOg==,type:str]
 cloudflared:
    secret: ENC[AES256_GCM,data:QXIl0MqreqPH4LP7IQdA5qQCQdizjFixbOHjqQi/3RjYDt9zt0OejW9rIYnkIRyVj4hnkJBqd1ov/VgdSoNmy/iafIgwqwgsMH0e4R9J6n255p3JG3XBmiYry89xXvQ1SXyzWdUF6p3qgevwzjZnKYyYHT9TbLWc/BkTyyA8g1EGg0O1WfDXhq7u9kOPV4CaU1UX1MMpvZQnsV389PJEWYuK,iv:ASGw5dGOuukRREZ8vMLw5hgZmJhDZSJxDqvfWaxXKJk=,tag:75jf48BEDd4uHkb+2LV5Tg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -29,8 +31,8 @@ sops:
            bGQ1cytGR09Dd2JoaU5CSW1DL1FVR0kK8F2DoJcnd+T+eQ9h39DtaAGCSpS4wXVJ
            hOZBh9fDeue1PwMWufDJ6KGeR0atPbUjn2w0dquvLEdBjt3Un9rFcA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-21T10:09:01Z"
+    lastmodified: "2024-06-21T07:19:43Z"
-    mac: ENC[AES256_GCM,data:HwZxrU64AQ9icbPWi5E8wQOfVDuSXF9/S9s9BoWpX4yewarKS/k2kRagaW4pBHeL3QUDXxQuTazaLEb06LyWezuS/ij1InCZu4D4DPe7EQ/YfQTDj/r1iCEvo1X2fLuSQ8+H8p5KXy0iV7rZbFLPYY3puYJTVwVJbI3m2rSU9bw=,iv:MzoOmFFTPbfA8FxPRZ2gL4HcYbBWxFJ+LfBB2fL0CSk=,tag:kIqgrNow4u2sbMKijyAKfg==,type:str]
+    mac: ENC[AES256_GCM,data:pKWUM3uhmtrwTOlR2jZauWsGSY1d//z+cojpWLFAAKedGjotLB6cmektyAVRHhw3waiM4WR5+BNZ6ghp7qBrM0z2WanJCdSmXqdyxJEydUC9CCFXZG+7SmIZS+7+/LsqejzdYSAMf9DijN74E1EJVS5F0mHhw8QuRmDy3wU789M=,iv:IrOm1Maz8os9Q/ez+TbOxOTr1zwB1loDVHcPbN8kMvg=,tag:AAKp3OH/s2c7u8lp6vkLVg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.8.1
--- a/hosts/enchilada/default.nix
+++ b/hosts/enchilada/default.nix
@ -8,6 +8,7 @@
  environment.packages = with pkgs; [
    git
    openssh
    curl
    diffutils
    findutils
--- a/hosts/lightsail-tokyo/Caddyfile
+++ b/hosts/lightsail-tokyo/Caddyfile
@ -6,25 +6,8 @@
 	}
 }
-(header) {
+(default) {
 	header {
 		# https://observatory.mozilla.org/analyze/ny4.dev
 		# https://infosec.mozilla.org/guidelines/web_security
 		# https://caddyserver.com/docs/caddyfile/directives/header#examples
 		?Content-Security-Policy "default-src https: blob: 'unsafe-eval' 'unsafe-inline'; object-src 'none'"
 		?Permissions-Policy interest-Hpcohort=()
 		?Strict-Transport-Security max-age=31536000;
 		?X-Content-Type-Options nosniff
 		?X-Frame-Options DENY
 	}
 }
 (compression) {
 	encode zstd gzip
 }
 (robots) {
 	handle_path /robots.txt {
 		file_server * {
 			root /var/www/robots/robots.txt
@ -32,13 +15,13 @@
 	}
 }
-(default) {
+www.ny4.dev {
-	import header
+	import default
-	import compression
+	redir https://ny4.dev
 	import robots
 }
-www.ny4.dev {
+# get the certificate for hysteria
 tyo0.ny4.dev {
 	import default
 	redir https://ny4.dev
 }
@ -91,18 +74,6 @@ pixiv.ny4.dev {
 	reverse_proxy unix//run/pixivfe/pixiv.sock
 }
 matrix.ny4.dev {
 	import default
 	reverse_proxy /_matrix/* localhost:8600
 	reverse_proxy /_synapse/client/* localhost:8600
 	reverse_proxy /health localhost:8600
 }
 syncv3.ny4.dev {
 	import default
 	reverse_proxy localhost:8700
 }
 id.ny4.dev {
 	import default
 	reverse_proxy localhost:8800
@ -114,32 +85,17 @@ element.ny4.dev {
 	file_server
 }
 mastodon.ny4.dev {
 	import default
 	handle_path /system/* {
 		reverse_proxy localhost:9100
 	}
 	handle /api/v1/streaming/* {
 		reverse_proxy localhost:9000
 	}
 	route * {
 		file_server * {
 			root @mastodon@/public
 			pass_thru
 		}
 		reverse_proxy * localhost:8900
 	}
 	handle_errors {
 		root * @mastodon@/public
 		rewrite 500.html
 		file_server
 	}
 }
 git.ny4.dev {
 	import default
 	reverse_proxy unix//run/forgejo/forgejo.sock
 }
 rss.ny4.dev {
 	import default
 	reverse_proxy localhost:9300
 }
 reddit.ny4.dev {
 	import default
 	reverse_proxy localhost:9400
 }
--- a/hosts/lightsail-tokyo/default.nix
+++ b/hosts/lightsail-tokyo/default.nix
@ -1,14 +1,13 @@
 {
  modulesPath,
  lib,
  config,
  inputs,
  modulesPath,
  pkgs,
  ...
 }: {
  imports = [
    "${modulesPath}/virtualisation/amazon-image.nix"
    inputs.nixos-sensible.nixosModules.zram
    ../../nixos/profiles/server
    ./anti-feature.nix
  ];
@ -27,6 +26,10 @@
  # WORKAROUND:
  systemd.services."print-host-key".enable = false;
  # FIXME:
  # error: 1 dependencies of derivation '/nix/store/h0wkpjfh0hr1vswyz2f7wk8n03yj0l81-linux-6.10-modules.drv' failed to build
  boot.kernelPackages = pkgs.linuxPackages;
  ### Secrets
  sops = {
    secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
@ -39,37 +42,15 @@
      "searx/environment" = {
        restartUnits = ["searx.service"];
      };
      "miniflux/environment" = {
        restartUnits = ["miniflux.service"];
      };
    templates = {
      "hysteria.yaml".content = ''
        tls:
          cert: /run/credentials/hysteria.service/cert
          key: /run/credentials/hysteria.service/key
        masquerade:
          type: proxy
          proxy:
            url: https://ny4.dev/
        ${config.sops.placeholder."hysteria/auth"}
      '';
    };
  };
  ### Services
-  networking.firewall.allowedUDPPorts = [
+  networking.firewall.allowedUDPPorts = [443]; # hysteria
-    # hysteria
+  networking.firewall.allowedTCPPorts = [80 443]; # caddy
    443
  ];
  networking.firewall.allowedTCPPorts = [
    # caddy
    80
    443
    # frp
    7000
  ];
  systemd.tmpfiles.settings = {
    "10-www" = {
@ -86,12 +67,12 @@
      "element" = pkgs.element-web.override {
        element-web-unwrapped = pkgs.element-web-unwrapped.overrideAttrs (oldAttrs: {
-          version = "1.11.69-rc.1";
+          version = "1.11.70";
          src = oldAttrs.src.overrideAttrs {
-            outputHash = "sha256-vL21wTI9qeIhrFdbI0WsehVy0ZLBj9rayuQnTPC7k8g=";
+            outputHash = "sha256-UzSqChCa94LqaQpMzwQGPX3G2xxOpP3jp5OvR1iBzRs=";
          };
          offlineCache = oldAttrs.offlineCache.overrideAttrs {
-            outputHash = "sha256-nZWclW2tEq7vPRPG5zzhYfExVnmPxYDm8DxME5w5ORI=";
+            outputHash = "sha256-M4FTUtx7vpZIEdu/NM98/zIDGyPOtfocrj29/qChyyQ=";
          };
        });
@ -107,23 +88,31 @@
  services.hysteria = {
    enable = true;
-    configFile = config.sops.templates."hysteria.yaml".path;
+    settings = {
-    credentials = [
+      auth = {
-      # FIXME: remove hardcoded path
+        type = "userpass";
-      "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ny4.dev/ny4.dev.crt"
+        userpass = {
-      "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/ny4.dev/ny4.dev.key"
+          _secret = "/run/credentials/hysteria.service/auth";
-    ];
+          quote = false;
        };
      };
      masquerade = {
        type = "proxy";
        proxy.url = "https://ny4.dev/";
      };
      tls = {
        cert = "/run/credentials/hysteria.service/cert";
        key = "/run/credentials/hysteria.service/key";
      };
    };
  };
-  services.frp = {
+  systemd.services."hysteria".serviceConfig.LoadCredential = [
-    enable = true;
+    # FIXME: remove hardcoded path
-    role = "server";
+    "auth:${config.sops.secrets."hysteria/auth".path}"
-    settings = {
+    "cert:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.crt"
-      bindPort = 7000;
+    "key:/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/tyo0.ny4.dev/tyo0.ny4.dev.key"
-      auth.method = "token";
+  ];
      auth.token = "p4$m93060THuwtYaF0Jnr(RvYGZkI*Lqvh!kGXNesZCm4JQubMQlFDzr#F7rAycE";
    };
  };
  # `journalctl -u murmur.service | grep Password`
  services.murmur = {
@ -189,16 +178,17 @@
  services.keycloak = {
    enable = true;
    settings = {
      cache = "local";
      hostname = "id.ny4.dev";
      http-host = "127.0.0.1";
      http-port = 8800;
      proxy = "edge";
-      hostname-strict-backchannel = true;
+      # proxy-headers = "xforwarded"; # FIXME: Key material not provided to setup HTTPS.
      hostname = "id.ny4.dev";
      cache = "local";
    };
    database.passwordFile = toString (pkgs.writeText "password" "keycloak");
  };
  # TODO: eventually, use blog homepage
  services.homepage-dashboard = {
    enable = true;
    listenPort = 9200;
@ -214,80 +204,66 @@
    services = let
      getDesc = pkg: pkg.meta.description;
-    in [
+      mapAttrsToList' = lib.mapAttrsToList (name: value: {"${name}" = value;}); # also sorts the thing alphabetically
-      {
+    in
-        "Services" = [
+      mapAttrsToList' {
-          {
+        "Services" = mapAttrsToList' {
-            "SearXNG" = {
+          "Mumble" = {
-              description = getDesc pkgs.searxng;
+            description = "${getDesc pkgs.mumble} (Connect with tyo0.ny4.dev:64738)";
              href = "https://searx.ny4.dev";
          };
          }
          {
            "Wastebin" = {
              description = getDesc pkgs.wastebin;
              href = "https://pb.ny4.dev";
            };
          }
          {
          "Ntfy" = {
            description = getDesc pkgs.ntfy;
            href = "https://ntfy.ny4.dev/";
          };
-          }
+          "Redlib" = {
-          {
+            description = getDesc pkgs.redlib;
-            "Mumble" = {
+            href = "https://reddit.ny4.dev/";
-              description = "${getDesc pkgs.mumble} (Connect with ny4.dev:64738)";
+          };
          "SearXNG" = {
            description = getDesc pkgs.searxng;
            href = "https://searx.ny4.dev/";
          };
          "Wastebin" = {
            description = getDesc pkgs.wastebin;
            href = "https://pb.ny4.dev/";
          };
        };
        "Links" = mapAttrsToList' {
          "Blog".href = "https://blog.ny4.dev/";
          "Forgejo".href = "https://git.ny4.dev/nyancat";
          "GitHub".href = "https://github.com/Guanran928";
          "Mastodon".herf = "https://mastodon.ny4.dev/@nyancat";
          "Matrix".href = "https://matrix.to/#/@nyancat:ny4.dev";
        };
        "Private stuff" = mapAttrsToList' {
          "Forgejo" = {
            description = getDesc pkgs.forgejo;
            href = "https://git.ny4.dev/";
          };
          }
        ];
      }
      {
        "Private stuff" = [
          {
          "Mastodon" = rec {
            description = getDesc pkgs.mastodon;
            href = "https://mastodon.ny4.dev/";
            widget.type = "mastodon";
            widget.url = href;
          };
          }
          {
          "Matrix" = {
            description = getDesc pkgs.element-web;
            href = "https://element.ny4.dev/";
          };
-          }
+          "Miniflux" = {
-          {
+            description = getDesc pkgs.miniflux;
            href = "https://rss.ny4.dev/";
          };
          "PixivFE" = {
-              description = "A privacy respecting frontend for Pixiv.";
+            description = getDesc inputs.self.legacyPackages.${pkgs.stdenv.hostPlatform.system}.pixivfe;
            href = "https://pixiv.ny4.dev";
          };
          }
          {
          "Uptime Kuma" = {
            description = getDesc pkgs.uptime-kuma;
            href = "https://uptime.ny4.dev/";
          };
          }
          {
            "Forgejo" = {
              description = getDesc pkgs.forgejo;
              href = "https://git.ny4.dev/";
        };
-          }
+      };
        ];
      }
      {
        "Links" = [
          {"Blog".href = "https://blog.ny4.dev/";}
          {"GitHub".href = "https://github.com/Guanran928";}
          {"Mastodon".herf = "https://mastodon.ny4.dev/@nyancat";}
          {"Matrix".href = "https://matrix.to/#/@root:ny4.dev";}
          {"Forgejo".href = "https://git.ny4.dev/nyancat";}
        ];
      }
    ];
  };
  services.forgejo = {
@ -295,10 +271,10 @@
    database.type = "postgres";
    settings = {
      server = {
        # TODO: whats the difference between this and fcgi+unix
        DOMAIN = "git.ny4.dev";
        PROTOCOL = "http+unix";
        ROOT_URL = "https://git.ny4.dev/";
        SSH_DOMAIN = "tyo0.ny4.dev";
      };
      service = {
@ -307,6 +283,28 @@
    };
  };
  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.sops.secrets."miniflux/environment".path;
    config = {
      LISTEN_ADDR = "127.0.0.1:9300";
      BASE_URL = "https://rss.ny4.dev";
      OAUTH2_PROVIDER = "oidc";
      OAUTH2_CLIENT_ID = "miniflux";
      # OAUTH2_CLIENT_SECRET = "replace_me"; # EnvironmentFile
      OAUTH2_REDIRECT_URL = "https://rss.ny4.dev/oauth2/oidc/callback";
      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.ny4.dev/realms/ny4";
    };
  };
  services.libreddit = {
    enable = true;
    package = pkgs.redlib;
    address = "127.0.0.1";
    port = 9400;
  };
  ### Prevents me from bankrupt
  # https://fmk.im/p/shutdown-aws/
  services.vnstat.enable = true;
--- a/hosts/lightsail-tokyo/robots.txt
+++ b/hosts/lightsail-tokyo/robots.txt
@ -1,33 +1,3 @@
 User-agent: Amazonbot
 Disallow: /
 User-agent: CCBot
 Disallow: /
 User-agent: ChatGPT-User
 Disallow: /
 User-agent: Claude-Web
 Disallow: /
 User-agent: FacebookBot
 Disallow: /
 User-agent: GPTBot
 Disallow: /
 User-agent: Google-Extended
 Disallow: /
 User-agent: Omgilibot
 Disallow: /
 User-agent: anthopic-ai
 Disallow: /
 User-agent: cohere-ai
 Disallow: /
 User-Agent: *
 Disallow: /harming/humans
 Disallow: /ignoring/human/orders
--- a/hosts/lightsail-tokyo/secrets.yaml
+++ b/hosts/lightsail-tokyo/secrets.yaml
@ -1,9 +1,11 @@
 hysteria:
-    auth: ENC[AES256_GCM,data:w92q/SYF6PYEIzW26uIgtjI3TU/ljqzbDrXoCCYw3SdIefYVqQOgyhpe/G7tkQIIh0STaTs7YN8NYUxu23dZcq3/0ooZLPZR+f7autHXYVz9vNMRteNCRtrtqzhiAW47LKXtrUxHMirlEESD+18kPxsUK7i2sjbltA==,iv:yK0ht1l46frIpHVTmQxXgvFMhupXEbjhsRlMGxdt9jQ=,tag:q7XFiLxNxTw9rvioJc/bWw==,type:str]
+    auth: ENC[AES256_GCM,data:cApNP7RrRV+IAqGEhZ4uWQu2U09a0q+bEkW9rdGNJedQF1kykdLFintvmCl4zmJyYOSp8pe+P4xvjmyG1st7F9jhBr/gv9PG30uY1z2GvLKLrKMANosAxq3w6ZhRgUEILsQ=,iv:lAKy/qw1liuoas1P5ZZxssNPCzuV4mZ3i91ctecJVHY=,tag:pSoRRr2jVj2OLchtFQKVsw==,type:str]
 searx:
    environment: ENC[AES256_GCM,data:Chtb7yhooCMU+Hfnqdgwpd1w5gI2LZm4cz8d3YRgznjveO/4HOZ54XMdQVDoiC6ukojHfEUxl+3qIG1wi/s29rhxJekHLtWgJ++OUQKW,iv:viGQRoWbaSlRoovBV01Vl/d17eRVeM8CQUHYRWrflNQ=,tag:2QMYVCXON129pRpW3oOQXg==,type:str]
 pixivfe:
    environment: ENC[AES256_GCM,data:/Q/rShBXlXkWOOP+7OhKtKTSrp2zNizMaAOyKfWbKgJMHTjNfmMtRuGKRez9KXM5MDIMIF9iJSQ=,iv:whIAkaWiZcZT4HfmJw4qA+fbQ9zHFp+kTuHxQDE3XoU=,tag:FroLTMtNwGlvZw3osftj3A==,type:str]
 miniflux:
    environment: ENC[AES256_GCM,data:eT1rVeXbDANk/+9xmxmTHvMNofyplNGvVFgTj4lFQlJSHTi+br1qfg0tddf5aCtE8cNGt0fNm63qguI2Df/+KWENhb0vCpjRG7zryfBhEwMP5jkVgDnaHYolS1z3OmhlEpE=,iv:tWAUCtlk8wDGWGmn7j00QOVwjPYDkTPDGpyxd1pP6ig=,tag:gLNdzK9GZ/m5mWL5YNrzyQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -28,8 +30,8 @@ sops:
            R1ZMMG1jWnljNWl5Nk5MU3RCMlFPYjgKL1ScxzF0D1R18H+oe6dlxUGlL9myHEr3
            3HBPoapKCSQ/cT7Xma4bsWD1AVJIf1Ak+MeCs9ItGwKAcnd9JYZ9KA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-15T07:19:59Z"
+    lastmodified: "2024-07-18T09:46:47Z"
-    mac: ENC[AES256_GCM,data:kaOXFVuCPG0enPjvhJRWyHqOrVnlm1+ifFd/ore3WbB0IjDvC3UAuPHQEG/V/wZJOgqx/BmaL31GQWuHHDYgeRqjmcmCFofI4262fuf4XAaCS/vkZCRGTUgqQxmLNBpGNRMxy+Oyk2wCW92Q9HOJl7Suc8snufdext3Nn7AL+TA=,iv:8n6tNsHnwF8iGyTGo15MrpHfWkY4Fuu/Q3DfCFQgGv4=,tag:EbiACYHI14GMQhIBudzgzw==,type:str]
+    mac: ENC[AES256_GCM,data:EJsQO/XsF8SpyEP8s9u1DXQkSsqodknF9ibl94/kOOIutx9ML+L0ltYA3+/eW17K9Mwvy6CyojKiQLiYgL2RLJd1zxZKedmp+l3klu1im8Wocwh073nemHIR1J6H5hoE6y36tDCXRrMDbWIfMjvlp6FlhFsI/n3Na1iCDall6mA=,iv:O9Y0j5G3sE67Bfz0MhcPYYpU71cGgtIdde8a1WQiigs=,tag:eNIvBVu7LPnC5s2f3MzptQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.0
--- a/hosts/socrates/robotnix/disable-gapps.patch
+++ b/hosts/socrates/robotnix/disable-gapps.patch
@ -1,21 +0,0 @@
 ---
 lineage_socrates.mk | 3 ---
 1 file changed, 3 deletions(-)
 diff --git a/lineage_socrates.mk b/lineage_socrates.mk
 index c3e5c0a..f9f0f74 100644
 --- a/lineage_socrates.mk
 +++ b/lineage_socrates.mk
@@ -14,9 +14,6 @@ $(call inherit-product, vendor/lineage/config/common_full_phone.mk)
 # Inherit device configurations
 $(call inherit-product, device/xiaomi/socrates/device.mk)
 -# Inherit from Gapps
 -$(call inherit-product, vendor/gapps/arm64/arm64-vendor.mk)
 -
 ## Device identifier
 PRODUCT_DEVICE := socrates
 PRODUCT_NAME := lineage_socrates
 --
 2.44.0
--- a/hosts/socrates/robotnix/flake.lock
+++ b/hosts/socrates/robotnix/flake.lock
@ -1,130 +0,0 @@
 {
  "nodes": {
    "androidPkgs": {
      "inputs": {
        "devshell": "devshell",
        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1638562808,
        "narHash": "sha256-nnGyBugMQo9WweTgpfPbJu0fHnRtxvsPQ9el2D3wPrY=",
        "owner": "tadfisher",
        "repo": "android-nixpkgs",
        "rev": "a191ab6adb019b09d3bb919bb98dca31d83519d5",
        "type": "github"
      },
      "original": {
        "owner": "tadfisher",
        "ref": "stable",
        "repo": "android-nixpkgs",
        "type": "github"
      }
    },
    "devshell": {
      "locked": {
        "lastModified": 1637575296,
        "narHash": "sha256-ZY8YR5u8aglZPe27+AJMnPTG6645WuavB+w0xmhTarw=",
        "owner": "numtide",
        "repo": "devshell",
        "rev": "0e56ef21ba1a717169953122c7415fa6a8cd2618",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "devshell",
        "type": "github"
      }
    },
    "flake-utils": {
      "locked": {
        "lastModified": 1638122382,
        "narHash": "sha256-sQzZzAbvKEqN9s0bzWuYmRaA03v40gaJ4+iL1LXjaeI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "74f7e4319258e287b0f9cb95426c9853b282730b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1637841632,
        "narHash": "sha256-QYqiKHdda0EOnLGQCHE+GluD/Lq2EJj4hVTooPM55Ic=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "73369f8d0864854d1acfa7f1e6217f7d6b6e3fa1",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgsUnstable": {
      "locked": {
        "lastModified": 1638376152,
        "narHash": "sha256-ucgLpVqhFnClH7YRUHBHnmiOd82RZdFR3XJt36ks5fE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "6daa4a5c045d40e6eae60a3b6e427e8700f1c07f",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1638371214,
        "narHash": "sha256-0kE6KhgH7n0vyuX4aUoGsGIQOqjIx2fJavpCWtn73rc=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "a640d8394f34714578f3e6335fc767d0755d78f9",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-21.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "robotnix": {
      "inputs": {
        "androidPkgs": "androidPkgs",
        "nixpkgs": "nixpkgs_2",
        "nixpkgsUnstable": "nixpkgsUnstable"
      },
      "locked": {
        "lastModified": 1699510635,
        "narHash": "sha256-OpScLedUNJ6xyEyd5PeAMNKaoi8LMI7RT1lzXPp+UaY=",
        "owner": "danielfullmer",
        "repo": "robotnix",
        "rev": "f941a20537384418c22000f6e6487c92441e0a7f",
        "type": "github"
      },
      "original": {
        "owner": "danielfullmer",
        "repo": "robotnix",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "robotnix": "robotnix"
      }
    }
  },
  "root": "root",
  "version": 7
 }
--- a/hosts/socrates/robotnix/flake.nix
+++ b/hosts/socrates/robotnix/flake.nix
@ -1,49 +0,0 @@
 {
  description = "Build LineageOS for Redmi K60 Pro";
  inputs.robotnix.url = "github:danielfullmer/robotnix";
  outputs = inputs: {
    packages.x86_64-linux.default = inputs.self.robotnixConfigurations."socrates".img;
    robotnixConfigurations."socrates" = inputs.robotnix.lib.robotnixSystem ({pkgs, ...}: {
      device = "socrates";
      flavor = "lineageos";
      androidVersion = 14;
      apps.chromium.enable = false;
      webview.chromium.enable = false;
      ccache.enable = true;
      source.dirs."device/xiaomi/socrates".src = pkgs.fetchFromGitHub {
        owner = "danielml3";
        repo = "android_device_xiaomi_socrates";
        rev = "8b48a7a18b8db76d7122ca6e1b5bde8765d16665"; # lineage-21
        hash = "sha256-pQIbxpZhaxc7nI8Pl8sjG3kmvD3ComFDowjcKb9eZRo=";
      };
      source.dirs."device/xiaomi/socrates-kernel".src = pkgs.fetchFromGitHub {
        owner = "danielml3";
        repo = "android_device_xiaomi_socrates";
        rev = "60cd3aebf59cdf96366e8e4a8a1e2887f7d4d063"; # lineage-21-kernel
        hash = "sha256-i5QtxvApvGk24WeH6i6nC6jhS2jL2BolRUr/M02y6lc=";
      };
      source.dirs."hardware/xiaomi".src = pkgs.fetchFromGitHub {
        owner = "LineageOS";
        repo = "android_hardware_xiaomi";
        rev = "4453055456bb452830144d9526342b032289495e"; # lineage-21
        hash = "sha256-kQoHGKsa5L+usIChTMm63P85N8ZGofcllE4Hybf7itA=";
      };
      # TODO:
      source.dirs."vendor/xiaomi/socrates".src = pkgs.fetchFromGitHub {
        owner = "kmiit";
        repo = "android_vendor_xiaomi_socrates";
        rev = "";
        hash = "";
      };
    });
  };
 }
--- a/nixos/modules/default.nix
+++ b/nixos/modules/default.nix
@ -1,12 +1,5 @@
 {...}: {
  imports = [
    # utils that is used internally
    ./my/boot.nix
    ./my/hardware/audio.nix
    ./my/hardware/bluetooth.nix
    ./my/hardware/tpm.nix
    # nixpkgs styled options
    ./services/hysteria.nix
    ./services/pixivfe.nix
    ./services/rathole.nix
--- a/nixos/modules/my/boot.nix
+++ b/nixos/modules/my/boot.nix
@ -1,29 +0,0 @@
 {
  config,
  lib,
  ...
 }: let
  cfg = config.my.boot;
 in {
  options = {
    my.boot = {
      silentBoot = lib.mkEnableOption "silent boot";
      noLoaderMenu = lib.mkEnableOption "" // {description = "Whether to disable bootloader menu.";};
    };
  };
  config = {
    ### cfg.noLoaderMenu
    boot.loader.timeout = lib.mkIf cfg.noLoaderMenu 0;
    ### cfg.silentBoot
    boot.consoleLogLevel = lib.mkIf cfg.silentBoot 0;
    boot.kernelParams =
      lib.mkIf cfg.silentBoot
      (["quiet"]
        ++ lib.optionals config.boot.initrd.systemd.enable [
          "systemd.show_status=auto"
          "rd.udev.log_level=3"
        ]);
  };
 }
--- a/nixos/modules/my/hardware/audio.nix
+++ b/nixos/modules/my/hardware/audio.nix
@ -1,24 +0,0 @@
 {
  lib,
  config,
  ...
 }: let
  cfg = config.my.hardware.audio;
 in {
  options = {
    my.hardware.audio.enable = lib.mkEnableOption "audio";
  };
  # https://nixos.wiki/wiki/PipeWire
  config = lib.mkIf cfg.enable {
    security.rtkit.enable = true;
    hardware.pulseaudio.enable = false;
    services.pipewire = {
      enable = true;
      alsa.enable = true;
      alsa.support32Bit = true;
      pulse.enable = true;
      jack.enable = true;
    };
  };
 }
--- a/nixos/modules/my/hardware/bluetooth.nix
+++ b/nixos/modules/my/hardware/bluetooth.nix
@ -1,21 +0,0 @@
 {
  lib,
  config,
  pkgs,
  ...
 }: let
  cfg = config.my.hardware.bluetooth;
 in {
  options = {
    my.hardware.bluetooth.enable = lib.mkEnableOption "bluetooth";
  };
  # https://nixos.wiki/wiki/Bluetooth
  config = lib.mkIf cfg.enable {
    environment.systemPackages = lib.mkIf config.services.xserver.enable (with pkgs; [blueberry]);
    hardware.bluetooth = {
      enable = true;
      settings.General.FastConnectable = true;
    };
  };
 }
--- a/nixos/modules/my/hardware/tpm.nix
+++ b/nixos/modules/my/hardware/tpm.nix
@ -1,20 +0,0 @@
 {
  lib,
  config,
  ...
 }: let
  cfg = config.my.hardware.tpm;
 in {
  options = {
    my.hardware.tpm.enable = lib.mkEnableOption "TPM";
  };
  # https://nixos.wiki/wiki/TPM
  config = lib.mkIf cfg.enable {
    security.tpm2 = {
      enable = true;
      pkcs11.enable = true;
      tctiEnvironment.enable = true;
    };
  };
 }
--- a/nixos/modules/services/hysteria.nix
+++ b/nixos/modules/services/hysteria.nix
@ -1,10 +1,12 @@
 {
  pkgs,
  config,
  lib,
  pkgs,
  utils,
  ...
 }: let
  cfg = config.services.hysteria;
  settingsFormat = pkgs.formats.json {};
 in {
  options.services.hysteria = {
    enable = lib.mkEnableOption "Hysteria, a powerful, lightning fast and censorship resistant proxy";
@ -17,54 +19,39 @@ in {
      description = "Whether to use Hysteria as a client or a server.";
    };
-    configFile = lib.mkOption {
+    settings = lib.mkOption {
-      default = null;
+      type = lib.types.submodule {
-      type = lib.types.nullOr lib.types.path;
+        freeformType = settingsFormat.type;
      description = "Configuration file to use.";
      };
-
+      default = {};
    credentials = lib.mkOption {
      type = lib.types.listOf lib.types.str;
      default = [];
      example = lib.literalExpression ''
        [
          "cert:/tmp/certificate.crt"
          "key:/tmp/private-key.key"
        ];
      '';
      description = ''
-        Extra credentials loaded by systemd, you can access them by `/run/credentials/hysteria.service/foobar`.
+        The Hysteria configuration, see https://hysteria.network/ for documentation.
-        See `systemd.exec(5)` for more information.
+        Options containing secret data should be set to an attribute set
        containing the attribute `_secret` - a string pointing to a file
        containing the value the option should be set to.
        Ignored when `services.hysteria.configFile` is set.
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    assertions = [
      {
        assertion = cfg.configFile != null;
        message = "A configuration file is required for Hysteria";
      }
    ];
    systemd.services."hysteria" = {
      description = "Hysteria daemon, a powerful, lightning fast and censorship resistant proxy.";
      documentation = ["https://hysteria.network/"];
      wantedBy = ["multi-user.target"];
      after = ["network-online.target"];
      wants = ["network-online.target"];
-      restartTriggers = [cfg.configFile];
+      preStart = utils.genJqSecretsReplacementSnippet cfg.settings "/var/lib/private/hysteria/config.json";
      serviceConfig = {
        ExecStart = lib.concatStringsSep " " [
          (lib.getExe cfg.package)
          cfg.mode
-          "--disable-update-check"
+          "--config /var/lib/private/hysteria/config.json"
          "--config $\{CREDENTIALS_DIRECTORY}/config.yaml" # TODO: support other formats
        ];
        DynamicUser = true;
        StateDirectory = "hysteria";
        LoadCredential = ["config.yaml:${cfg.configFile}"] ++ cfg.credentials;
        ### Hardening
        AmbientCapabilities = ["CAP_NET_ADMIN" "CAP_NET_BIND_SERVICE" "CAP_NET_RAW"];
--- a/nixos/modules/services/pixivfe.nix
+++ b/nixos/modules/services/pixivfe.nix
@ -1,7 +1,8 @@
 {
  pkgs,
  config,
  lib,
  config,
  inputs,
  pkgs,
  ...
 }: let
  cfg = config.services.pixivfe;
@ -9,10 +10,7 @@ in {
  options.services.pixivfe = {
    enable = lib.mkEnableOption "PixivFE, a privacy respecting frontend for Pixiv";
-    # package = lib.mkPackageOption pkgs "pixivfe" {};
+    package = lib.mkPackageOption inputs.self.legacyPackages.${pkgs.stdenv.hostPlatform.system} "pixivfe" {};
    package = lib.mkOption {
      default = pkgs.callPackage ./pixivfe-pkg.nix {};
    };
    openFirewall = lib.mkEnableOption "open ports in the firewall needed for the daemon to function";
--- a/nixos/profiles/common/core/fun.nix
+++ b/nixos/profiles/common/core/fun.nix
@ -1,24 +0,0 @@
 {
  lib,
  config,
  ...
 }: {
  options = {
    system.nixos.codeName = lib.mkOption {readOnly = false;};
  };
  config = {
    # https://github.com/NixOS/nixpkgs/issues/315574
    system.nixos.codeName = "骆马";
    services.getty.greetingLine = let
      inherit (config.system) nixos;
    in ''
      NixOS ${nixos.label} ${nixos.codeName} (\m) - \l
      ${lib.strings.optionalString (builtins.elem "nvidia" config.services.xserver.videoDrivers)
        "--my-next-gpu-wont-be-nvidia"}
      ${lib.strings.optionalString (builtins.elem "amdgpu" config.boot.initrd.kernelModules)
        "[    5.996722] amdgpu 0000:67:00.0: Fatal error during GPU init"}
    '';
  };
 }
--- a/nixos/profiles/common/core/hardening/sysctl.nix
+++ b/nixos/profiles/common/core/hardening/sysctl.nix
@ -1,50 +0,0 @@
 {
  boot.kernel.sysctl = {
    ### https://madaidans-insecurities.github.io/guides/linux-hardening.html#sysctl
    # Kernel self-protection
    "kernel.kptr_restrict" = "2";
    "kernel.dmesg_restrict" = "1";
    "kernel.printk" = "3 3 3 3"; #
    "kernel.unprivileged_bpf_disabled" = "1";
    "net.core.bpf_jit_harden" = "2";
    "dev.tty.ldisc_autoload" = "0";
    "vm.unprivileged_userfaultfd" = "0";
    "kernel.kexec_load_disabled" = "1";
    "kernel.sysrq" = "4"; #
    #"kernel.unprivileged_userns_clone" = "0"; # does not exist on nixos
    "kernel.perf_event_paranoid" = "3";
    # Network
    "net.ipv4.tcp_syncookies" = "1";
    "net.ipv4.tcp_rfc1337" = "1";
    "net.ipv4.conf.all.rp_filter" = "1";
    "net.ipv4.conf.default.rp_filter" = "1";
    "net.ipv4.conf.all.accept_redirects" = "0";
    "net.ipv4.conf.default.accept_redirects" = "0";
    "net.ipv4.conf.all.secure_redirects" = "0";
    "net.ipv4.conf.default.secure_redirects" = "0";
    "net.ipv6.conf.all.accept_redirects" = "0";
    "net.ipv6.conf.default.accept_redirects" = "0";
    "net.ipv4.conf.all.send_redirects" = "0";
    "net.ipv4.conf.default.send_redirects" = "0";
    "net.ipv4.icmp_echo_ignore_all" = "1";
    "net.ipv4.conf.all.accept_source_route" = "0";
    "net.ipv4.conf.default.accept_source_route" = "0";
    "net.ipv6.conf.all.accept_source_route" = "0";
    "net.ipv6.conf.default.accept_source_route" = "0";
    "net.ipv6.conf.all.accept_ra" = "0";
    "net.ipv6.conf.default.accept_ra" = "0";
    "net.ipv4.tcp_sack" = "0";
    "net.ipv4.tcp_dsack" = "0";
    "net.ipv4.tcp_fack" = "0";
    # User Space
    "kernel.yama.ptrace_scope" = "2";
    "vm.mmap_rnd_bits" = "32";
    "vm.mmap_rnd_compat_bits" = "16";
    "fs.protected_symlinks" = "1";
    "fs.protected_hardlinks" = "1";
    "fs.protected_fifos" = "2";
    "fs.protected_regular" = "2";
  };
 }
--- a/nixos/profiles/common/core/networking/default.nix
+++ b/nixos/profiles/common/core/networking/default.nix
@ -1,18 +0,0 @@
 {
  lib,
  config,
  ...
 }: {
  networking.wireless.iwd.enable = lib.mkDefault true;
  services.resolved.enable = true;
  sops.secrets."wireless/wangxiaobo".path = lib.mkIf config.networking.wireless.iwd.enable "/var/lib/iwd/wangxiaobo.psk";
  sops.secrets."wireless/OpenWrt".path = lib.mkIf config.networking.wireless.iwd.enable "/var/lib/iwd/OpenWrt.psk";
  ### https://wiki.archlinux.org/title/Sysctl#Improving_performance
  boot.kernelModules = ["tcp_bbr"];
  boot.kernel.sysctl = {
    "net.core.default_qdisc" = "cake";
    "net.ipv4.tcp_congestion_control" = "bbr";
  };
 }
--- a/nixos/profiles/common/core/nix/default.nix
+++ b/nixos/profiles/common/core/nix/default.nix
@ -1,8 +0,0 @@
 {...}: {
  imports = [
    ./flake.nix
    ./nix.nix
    ./gc.nix
    #./monitor.nix
  ];
 }
--- a/nixos/profiles/common/core/nix/flake.nix
+++ b/nixos/profiles/common/core/nix/flake.nix
@ -1,27 +0,0 @@
 # ref: https://github.com/Misterio77/nix-config/blob/main/hosts/common/global/nix.nix
 {
  pkgs,
  inputs,
  lib,
  ...
 }: {
  # Enable Flakes
  nix.settings.experimental-features = ["nix-command" "flakes"];
  # Disable nix-channel
  nix.channel.enable = false;
  # Disable flake-registry
  nix.settings.flake-registry = "";
  # Add each flake input as a registry
  # To make nix3 commands consistent with the flake
  nix.registry = lib.mapAttrs (_: value: {flake = value;}) inputs;
  # Install Git
  environment.systemPackages = [pkgs.git];
  # Does not work with Flake based configurations
  system.copySystemConfiguration = false;
  programs.command-not-found.enable = false;
 }
--- a/nixos/profiles/common/core/nix/gc.nix
+++ b/nixos/profiles/common/core/nix/gc.nix
@ -1,19 +0,0 @@
 {
  nix = {
    ### Auto hard linking
    settings.auto-optimise-store = true;
    ### Automatically delete older NixOS builds
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 7d";
    };
    ### optimiser
    optimise = {
      automatic = true;
      dates = ["03:45"];
    };
  };
 }
--- a/nixos/profiles/common/core/nix/nix.nix
+++ b/nixos/profiles/common/core/nix/nix.nix
@ -1,48 +0,0 @@
 {config, ...}: {
  nix.settings = {
    substituters =
      {
        "Asia/Shanghai" = [
          "https://mirror.sjtu.edu.cn/nix-channels/store" # SJTU - 上海交通大学 Mirror
          "https://mirrors.ustc.edu.cn/nix-channels/store" # USTC - 中国科学技术大学 Mirror
          "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" # TUNA - 清华大学 Mirror
        ];
      }
      .${config.time.timeZone}
      or []
      ++ [
        "https://nix-community.cachix.org"
        "https://cache.garnix.io"
        # Personal cachix-s
        "https://berberman.cachix.org"
        "https://guanran928.cachix.org"
      ];
    trusted-public-keys = [
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
      "berberman.cachix.org-1:UHGhodNXVruGzWrwJ12B1grPK/6Qnrx2c3TjKueQPds="
      "guanran928.cachix.org-1:BE/iBCj2/pqJXG908wHRrcaV0B2fC+KbFjHsXY6b91c="
    ];
    trusted-users = ["@wheel"];
    experimental-features = ["auto-allocate-uids" "cgroups"];
    auto-allocate-uids = true;
    builders-use-substitutes = true;
    use-cgroups = true;
    use-xdg-base-directories = true;
  };
  documentation = {
    doc.enable = false;
    info.enable = false;
    nixos.enable = false;
  };
  # https://github.com/NixOS/nixpkgs/pull/308801
  # nixos/switch-to-configuration: add new implementation
  system.switch = {
    enable = false;
    enableNg = true;
  };
 }
--- a/nixos/profiles/common/graphical/default.nix
+++ b/nixos/profiles/common/graphical/default.nix
@ -1,92 +0,0 @@
 {
  pkgs,
  lib,
  ...
 }: {
  ### home-manager
  home-manager.users.guanranwang = import ./home;
  # plymouth
  #boot.plymouth.enable = true;
  # xserver
  services.xserver = {
    enable = true;
    excludePackages = with pkgs; [xterm];
    displayManager.startx.enable = true;
  };
  # gnome keyring
  programs.seahorse.enable = true;
  # polkit
  security.polkit.enable = true;
  environment.systemPackages = with pkgs; [polkit_gnome];
  systemd.user.services.polkit-gnome-authentication-agent-1 = {
    description = "polkit-gnome-authentication-agent-1";
    wantedBy = ["graphical-session.target"];
    wants = ["graphical-session.target"];
    after = ["graphical-session.target"];
    serviceConfig = {
      Type = "simple";
      ExecStart = "${pkgs.polkit_gnome}/libexec/polkit-gnome-authentication-agent-1";
      Restart = "on-failure";
      RestartSec = 1;
      TimeoutStopSec = 10;
    };
  };
  ### Options
  my.boot.noLoaderMenu = lib.mkDefault true;
  fonts.enableDefaultPackages = false;
  security.pam.services.swaylock = {};
  xdg.portal = {
    enable = true;
    xdgOpenUsePortal = true;
    wlr.enable = true;
    extraPortals = with pkgs; [xdg-desktop-portal-gtk];
    # https://gitlab.archlinux.org/archlinux/packaging/packages/sway/-/blob/main/sway-portals.conf
    config."sway" = {
      default = "gtk";
      "org.freedesktop.impl.portal.ScreenCast" = "wlr";
      "org.freedesktop.impl.portal.Screenshot" = "wlr";
      "org.freedesktop.impl.portal.Inhibit" = "none";
    };
  };
  services = {
    gvfs.enable = true;
    gnome = {
      gnome-keyring.enable = true;
      sushi.enable = true;
      gnome-online-accounts.enable = true;
    };
  };
  programs = {
    kdeconnect = {
      enable = true;
      #package = pkgs.gnomeExtensions.gsconnect;
      package = pkgs.valent;
    };
  };
  services.libinput = {
    touchpad = {
      accelProfile = "flat";
      naturalScrolling = true;
      middleEmulation = false;
    };
    mouse = {
      accelProfile = "flat";
      naturalScrolling = true;
      middleEmulation = false;
    };
  };
  ### Removes debounce time
  # https://www.reddit.com/r/linux_gaming/comments/ku6gth
  environment.etc."libinput/local-overrides.quirks".text = ''
    [Never Debounce]
    MatchUdevType=mouse
    ModelBouncingKeys=1
  '';
 }
--- a/nixos/profiles/common/graphical/home/default.nix
+++ b/nixos/profiles/common/graphical/home/default.nix
@ -1,40 +0,0 @@
 {pkgs, ...}: {
  imports =
    [
      ./fonts
      ./theme.nix
      ./xdg-mime.nix
    ]
    ++ map (n: ../../../../../home/applications/${n}) [
      "alacritty"
      "fcitx5"
      "firefox"
      "go"
      "mpv"
      "nautilus"
      "nix"
      "sway"
    ];
  # https://wiki.archlinux.org/title/Fish#Start_X_at_login
  programs.fish.loginShellInit = ''
    if test -z "$DISPLAY" -a "$XDG_VTNR" = 1
      exec sway
    end
  '';
  home.packages =
    (with pkgs; [
      loupe
    ])
    ++ (with pkgs.gnome; [
      seahorse
      file-roller
      gnome-calculator
      dconf-editor
    ]);
  services = {
    ssh-agent.enable = true;
  };
 }
--- a/nixos/profiles/common/graphical/home/fonts/default.nix
+++ b/nixos/profiles/common/graphical/home/fonts/default.nix
@ -1,71 +0,0 @@
 {pkgs, ...}: {
  # WARN: I don't know fontconfig and I have no idea what am I doing. Please do not use as reference.
  xdg.configFile = {
    "fontconfig/fonts.conf".source = ./fonts.conf;
    "fontconfig/conf.d/10-web-ui-fonts.conf".source = pkgs.fetchurl {
      url = "https://raw.githubusercontent.com/lilydjwg/dotconfig/1b22d4f0740bb5bbd7c65b6c468920775171b207/fontconfig/web-ui-fonts.conf";
      hash = "sha256-A4DcV6HTW/IRxXN3NaI1GUfoFdalwgFLpCjgbWENdZU=";
    };
    "fontconfig/conf.d/10-source-han-for-noto-cjk.conf".source = pkgs.fetchurl {
      url = "https://raw.githubusercontent.com/lilydjwg/dotconfig/1b22d4f0740bb5bbd7c65b6c468920775171b207/fontconfig/source-han-for-noto-cjk.conf";
      hash = "sha256-jcdDr5VW1qZXbApgfT5FZgxonpRnLs9AY0QagfdL8ic=";
      postFetch = ''
        substitutionInPlace $out \
          --replace-warn "Source Han Sans" "Source Han Sans VF" \
          --replace-warn "Source Han Serif" "Source Han Serif VF"
      '';
    };
    "fontconfig/conf.d/10-nerd-font-symbols.conf".source = pkgs.fetchurl {
      url = "https://raw.githubusercontent.com/ryanoasis/nerd-fonts/${pkgs.nerdfonts.version}/10-nerd-font-symbols.conf";
      hash = "sha256-XwJMkcDtGlI+LFMrjCl/gicAnoBWnq3p9adrmieNZwU=";
    };
  };
  # Make GTK listen to fontconfig
  dconf.settings = {
    "org/gnome/desktop/wm/preferences" = {
      "titlebar-font" = "Sans Bold";
    };
    "org/gnome/desktop/interface" = {
      "font-name" = "Sans";
      "document-font-name" = "Sans";
      "monospace-font-name" = "Monospace";
    };
  };
  # HM managed fonts
  #
  # The reason I use Source Han instead of Noto CJK,
  # is because I heard from #archlinux-cn, Adobe packages font better.
  # You can 100% use noto-fonts-cjk-{sans,serif} if you prefer consistency/other reason.
  #
  # Using VF to reduce closure size:
  #   Version 1579 -> 1580:
  #   home-manager: -10.4 KiB
  #   inter: -12695.6 KiB
  #   jetbrains-mono: -7621.0 KiB
  fonts.fontconfig.enable = true;
  home.packages = with pkgs; [
    (nerdfonts.override {fonts = ["NerdFontsSymbolsOnly"];})
    (inter.overrideAttrs {
      installPhase = ''
        runHook preInstall
        install -Dm644 -t $out/share/fonts/truetype/ InterVariable*.ttf
        runHook postInstall
      '';
    })
    (jetbrains-mono.overrideAttrs {
      installPhase = ''
        runHook preInstall
        install -Dm644 -t $out/share/fonts/truetype/ fonts/variable/*.ttf
        runHook postInstall
      '';
    })
    noto-fonts
    noto-fonts-color-emoji
    source-han-sans-vf-otf
    source-han-serif-vf-otf
  ];
 }
--- a/nixos/profiles/common/graphical/home/fonts/fonts.conf
+++ b/nixos/profiles/common/graphical/home/fonts/fonts.conf
@ -1,112 +0,0 @@
 <?xml version='1.0'?>
 <!DOCTYPE fontconfig SYSTEM 'fonts.dtd'>
 <fontconfig>
  <its:rules version="1.0" xmlns:its="http://www.w3.org/2005/11/its">
    <its:translateRule selector="/fontconfig/*[not(self::description)]" translate="no"/>
  </its:rules>
  <description>trash Font Config 4.0</description>
  <match target="font">
    <!-- <edit mode="assign" name="antialias">         <bool>true</bool></edit> --> <!-- breaks emoji in GTK, unsure why -->
    <edit mode="assign" name="hinting">           <bool>true</bool></edit>
    <edit mode="assign" name="hintstyle">         <const>hintslight</const></edit>
    <edit mode="assign" name="autohint">          <bool>false</bool></edit>
    <edit mode="assign" name="embeddedbitmap">    <bool>false</bool></edit>
    <edit mode="assign" name="lcdfilter">         <const>lcddefault</const></edit>
    <edit mode="assign" name="rgba">              <const>rgb</const></edit>
  </match>
  <!-- Default fonts -->
  <alias binding="strong">
    <family>serif</family>
    <prefer>
      <family>Source Han Serif SC VF</family>
      <family>Noto Color Emoji</family>
    </prefer>
  </alias>
  <alias binding="strong">
    <family>sans-serif</family>
    <prefer>
      <family>Inter Variable</family>
      <family>Source Han Sans SC VF</family>
      <family>Noto Color Emoji</family>
    </prefer>
  </alias>
  <alias binding="strong">
    <family>monospace</family>
    <prefer>
      <family>JetBrains Mono</family>
      <family>Source Han Sans SC VF</family>
      <family>Noto Color Emoji</family>
    </prefer>
  </alias>
  <alias binding="strong">
    <family>system-ui</family>
    <prefer>
      <family>Inter Variable</family>
      <family>Source Han Sans SC VF</family>
      <family>Noto Color Emoji</family>
    </prefer>
  </alias>
  <!-- Rebind unliked/old fonts -->
  <!-- Sans -->
  <match target="pattern">
    <test name="family" qual="any"><string>Microsoft YaHei</string></test>
    <edit name="family" binding="same" mode="assign"><string>sans-serif</string></edit>
  </match>
  <match target="pattern">
    <test name="family" qual="any"><string>SimHei</string></test>
    <edit name="family" binding="same" mode="assign"><string>sans-serif</string></edit>
    </match>
  <match target="pattern">
    <test name="family" qual="any"><string>WenQuanYi Zen Hei</string></test>
    <edit name="family" binding="same" mode="assign"><string>sans-serif</string></edit>
  </match>
  <match target="pattern">
    <test name="family" qual="any"><string>WenQuanYi Micro Hei</string></test>
    <edit name="family" binding="same" mode="assign"><string>sans-serif</string></edit>
  </match>
  <match target="pattern">
    <test name="family" qual="any"><string>WenQuanYi Micro Hei Light</string></test>
    <edit name="family" binding="same" mode="assign"><string>sans-serif</string></edit>
  </match>
  <!-- Serif -->
  <match target="pattern">
    <test name="family" qual="any"><string>SimSun</string></test>
    <edit name="family" binding="same" mode="assign"><string>serif</string></edit>
  </match>
  <match target="pattern">
    <test name="family" qual="any"><string>SimSun-18030</string></test>
    <edit name="family" binding="same" mode="assign"><string>serif</string></edit>
  </match>
  <!-- Monospace -->
  <match target="pattern">
    <test name="family" qual="any"><string>Liberation Mono</string></test>
    <edit name="family" binding="same" mode="assign"><string>monospace</string></edit>
  </match>
  <match target="pattern">
    <test name="family" qual="any"><string>SF Mono</string></test>
    <edit name="family" binding="same" mode="assign"><string>monospace</string></edit>
  </match>
  <match target="pattern">
    <test name="family" qual="any"><string>Noto Sans Mono</string></test>
    <edit name="family" binding="same" mode="assign"><string>monospace</string></edit>
  </match>
  <!-- Reject DejaVu Sans -->
  <!-- why is DejaVu Sans still here after fonts.enableDefaultPackages = false -->
  <selectfont>
    <rejectfont>
        <pattern><patelt name="family" ><string>DejaVu Sans</string></patelt></pattern>
    </rejectfont>
  </selectfont>
 </fontconfig>
--- a/nixos/profiles/common/minimal/default.nix
+++ b/nixos/profiles/common/minimal/default.nix
@ -1,5 +0,0 @@
 {modulesPath, ...}: {
  imports = [
    (modulesPath + "/profiles/minimal.nix")
  ];
 }
--- a/nixos/profiles/common/mobile/default.nix
+++ b/nixos/profiles/common/mobile/default.nix
@ -1,3 +0,0 @@
 {
  home-manager.users.guanranwang = import ./home;
 }
--- a/nixos/profiles/common/mobile/home/default.nix
+++ b/nixos/profiles/common/mobile/home/default.nix
@ -1,3 +0,0 @@
 {
  services.batsignal.enable = true;
 }
--- a/nixos/profiles/common/opt-in/gaming/default.nix
+++ b/nixos/profiles/common/opt-in/gaming/default.nix
@ -1,58 +0,0 @@
 {
  pkgs,
  lib,
  config,
  ...
 }: {
  ### home-manager
  home-manager.users.guanranwang.imports = [./home];
  ### for steam
  # https://github.com/NixOS/nixpkgs/issues/47932
  hardware.opengl.driSupport32Bit = true;
  # https://wiki.archlinux.org/title/Gamepad#Connect_Xbox_Wireless_Controller_with_Bluetooth
  hardware.xone.enable = true; # via wired or wireless dongle
  hardware.xpadneo.enable = true; # via Bluetooth
  programs.gamemode = {
    enable = true;
    settings.custom = {
      start = "${lib.getExe pkgs.libnotify} 'GameMode Activated' 'GameMode Activated! Enjoy enhanced performance. 🚀'";
      end = "${lib.getExe pkgs.libnotify} 'GameMode Deactivated' 'GameMode Deactivated. Back to normal mode. ⏹️'";
    };
  };
  # Integrate with NVIDIA Optimus offloading.
  # https://github.com/FeralInteractive/gamemode#note-for-hybrid-gpu-users
  environment.sessionVariables = {
    "GAMEMODERUNEXEC" = let
      inherit (config.hardware.nvidia.prime) offload;
    in
      lib.mkIf
      (builtins.elem "nvidia" config.services.xserver.videoDrivers && offload.enable && offload.enableOffloadCmd)
      (lib.mkDefault "nvidia-offload");
  };
  ### https://wiki.archlinux.org/title/Gaming#Improving_performance
  systemd.tmpfiles.rules = [
    #    Path                  Mode UID  GID  Age Argument
    #"w /proc/sys/vm/compaction_proactiveness - - - - 0"
    "w /proc/sys/vm/min_free_kbytes - - - - 1048576"
    "w /proc/sys/vm/swappiness - - - - 10"
    "w /sys/kernel/mm/lru_gen/enabled - - - - 5"
    "w /proc/sys/vm/zone_reclaim_mode - - - - 0"
    #"w /sys/kernel/mm/transparent_hugepage/enabled - - - - never"
    #"w /sys/kernel/mm/transparent_hugepage/shmem_enabled - - - - never"
    #"w /sys/kernel/mm/transparent_hugepage/khugepaged/defrag - - - - 0"
    "w /proc/sys/vm/page_lock_unfairness - - - - 1"
    "w /proc/sys/kernel/sched_child_runs_first - - - - 0"
    "w /proc/sys/kernel/sched_autogroup_enabled - - - - 1"
    "w /proc/sys/kernel/sched_cfs_bandwidth_slice_us - - - - 500"
    "w /sys/kernel/debug/sched/latency_ns  - - - - 1000000"
    "w /sys/kernel/debug/sched/migration_cost_ns - - - - 500000"
    "w /sys/kernel/debug/sched/min_granularity_ns - - - - 500000"
    "w /sys/kernel/debug/sched/wakeup_granularity_ns  - - - - 0"
    "w /sys/kernel/debug/sched/nr_migrate - - - - 8"
  ];
 }
--- a/nixos/profiles/common/opt-in/gaming/home/default.nix
+++ b/nixos/profiles/common/opt-in/gaming/home/default.nix
@ -1,16 +0,0 @@
 {pkgs, ...}: {
  programs.mangohud.enable = true;
  home.packages = with pkgs; [
    (prismlauncher.override {glfw = glfw-wayland-minecraft;})
    (steam.override {
      extraEnv = {
        # STEAM_EXTRA_COMPAT_TOOLS_PATHS = gamePkgs.proton-ge;
      };
    })
    mumble
    osu-lazer-bin
    # lunar-client
    # protonup-qt
  ];
 }
--- a/nixos/profiles/common/physical/default.nix
+++ b/nixos/profiles/common/physical/default.nix
@ -1,11 +0,0 @@
 {pkgs, ...}: {
  networking.stevenblack.enable = true;
  services.system76-scheduler.enable = true;
  services.power-profiles-daemon.enable = true;
  services.thermald.enable = true;
  # YubiKey
  environment.systemPackages = [pkgs.yubikey-manager];
  services.pcscd.enable = true;
  services.udev.packages = [pkgs.yubikey-personalization];
 }
--- a/nixos/profiles/common/core/default.nix
+++ b/nixos/profiles/common/core/default.nix
@ -7,10 +7,10 @@
 }: {
  imports =
    [
-      ./hardening
+      ./hardening.nix
-      ./networking
+      ./networking.nix
-      ./nix
+      ./nix.nix
-      ./fun.nix
+      "${inputs.srvos}/nixos/common/well-known-hosts.nix"
    ]
    ++ (with inputs; [
      aagl.nixosModules.default
@ -19,6 +19,7 @@
      impermanence.nixosModules.impermanence
      lanzaboote.nixosModules.lanzaboote
      nixos-sensible.nixosModules.default
      nixos-sensible.nixosModules.zram
      nur.nixosModules.nur
      self.nixosModules.default
      sops-nix.nixosModules.sops
@ -28,16 +29,14 @@
    inputs.self.overlays.patches
  ];
  ### home-manager
  home-manager.users.guanranwang = import ../../../../home;
  home-manager = {
    users.guanranwang = import ../../../home;
    useGlobalPkgs = true;
    useUserPackages = true;
    extraSpecialArgs = {inherit inputs;}; # ??? isnt specialArgs imported by default ???
  };
-  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_zen;
+  boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
  ### Default Programs
  # In addition of https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/config/system-path.nix
@ -86,22 +85,27 @@
  programs.dconf.enable = true;
  programs.fish.enable = true;
-  users.groups."nix-access-tokens" = {};
+  programs.command-not-found.enable = false;
-  nix.extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
+  environment.stub-ld.enable = false;
  documentation = {
    doc.enable = false;
    info.enable = false;
    nixos.enable = false;
  };
  # https://github.com/NixOS/nixpkgs/pull/308801
  # nixos/switch-to-configuration: add new implementation
  system.switch = {
    enable = false;
    enableNg = true;
  };
  ### sops-nix
  sops = {
-    defaultSopsFile = ../../../../secrets.yaml;
+    defaultSopsFile = ../../../secrets.yaml;
    age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
    gnupg.sshKeyPaths = [];
-    secrets = {
+    secrets."hashed-passwd".neededForUsers = true;
      "hashed-passwd" = {
        neededForUsers = true;
      };
      "nix-access-tokens" = {
        group = config.users.groups."nix-access-tokens".name;
        mode = "0440";
      };
    };
  };
 }
--- a/nixos/profiles/common/core/hardening/default.nix
+++ b/nixos/profiles/common/core/hardening/default.nix
@ -1,15 +1,6 @@
-{...}: {
+{
  ### Basic hardening
  # ref: https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/profiles/hardened.nix
  # ref: https://madaidans-insecurities.github.io/guides/linux-hardening.html
  imports = [
    ./sysctl.nix
  ];
  environment.etc.machine-id.text = "b08dfa6083e7567a1921a715000001fb"; # whonix id
-  security.apparmor.enable = true;
+  security.sudo.execWheelOnly = true;
  security.sudo-rs.enable = true;
  security.sudo-rs.execWheelOnly = true;
  boot.blacklistedKernelModules = [
    # Obscure network protocols
--- a/nixos/profiles/core/networking.nix
+++ b/nixos/profiles/core/networking.nix
@ -0,0 +1,10 @@
 {
  services.resolved.enable = true;
  ### https://wiki.archlinux.org/title/Sysctl#Improving_performance
  boot.kernelModules = ["tcp_bbr"];
  boot.kernel.sysctl = {
    "net.core.default_qdisc" = "cake";
    "net.ipv4.tcp_congestion_control" = "bbr";
  };
 }
--- a/nixos/profiles/core/nix.nix
+++ b/nixos/profiles/core/nix.nix
@ -0,0 +1,60 @@
 {
  lib,
  config,
  inputs,
  ...
 }: {
  nix.settings = {
    substituters =
      (lib.optionals (config.time.timeZone == "Asia/Shanghai") [
        "https://mirrors.tuna.tsinghua.edu.cn/nix-channels/store" # TUNA - 清华大学 Mirror
      ])
      ++ [
        "https://nix-community.cachix.org"
        "https://guanran928.cachix.org"
      ];
    trusted-public-keys = [
      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
      "guanran928.cachix.org-1:BE/iBCj2/pqJXG908wHRrcaV0B2fC+KbFjHsXY6b91c="
    ];
    experimental-features = [
      "auto-allocate-uids"
      "cgroups"
      "flakes"
      "nix-command"
      "no-url-literals"
    ];
    flake-registry = "";
    trusted-users = ["@wheel"];
    allow-import-from-derivation = false;
    auto-allocate-uids = true;
    auto-optimise-store = true;
    builders-use-substitutes = true;
    use-cgroups = true;
    use-xdg-base-directories = true;
  };
  nix = {
    # Add each flake input as a registry
    # To make nix3 commands consistent with the flake
    registry = lib.mapAttrs (_: value: {flake = value;}) inputs;
    # Disable nix-channel
    channel.enable = false;
    gc = {
      automatic = true;
      dates = "weekly";
      options = "--delete-older-than 7d";
    };
    extraOptions = "!include ${config.sops.secrets.nix-access-tokens.path}";
  };
  users.groups."nix-access-tokens" = {};
  sops.secrets."nix-access-tokens" = {
    group = config.users.groups."nix-access-tokens".name;
    mode = "0440";
  };
 }
--- a/nixos/profiles/desktop/default.nix
+++ b/nixos/profiles/desktop/default.nix
@ -1,7 +0,0 @@
 {...}: {
  imports = [
    ../common/core
    ../common/graphical
    ../common/physical
  ];
 }
--- a/nixos/profiles/laptop/default.nix
+++ b/nixos/profiles/laptop/default.nix
@ -1,8 +0,0 @@
 {...}: {
  imports = [
    ../common/core
    ../common/graphical
    ../common/physical
    ../common/mobile
  ];
 }
--- a/nixos/profiles/common/opt-in/mihomo/config.yaml
+++ b/nixos/profiles/common/opt-in/mihomo/config.yaml
--- a/nixos/profiles/common/opt-in/mihomo/default.nix
+++ b/nixos/profiles/common/opt-in/mihomo/default.nix
@ -25,7 +25,12 @@
  };
  ### sops-nix
-  sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["mihomo.service"];}) {
+  sops.secrets = builtins.mapAttrs (_name: value:
    value
    // {
      restartUnits = ["mihomo.service"];
      sopsFile = ./secrets.yaml;
    }) {
    "clash/secret" = {};
    "clash/proxies/lightsail" = {};
    "clash/proxy-providers/efcloud" = {};
--- a/nixos/profiles/opt-in/mihomo/secrets.yaml
+++ b/nixos/profiles/opt-in/mihomo/secrets.yaml
@ -0,0 +1,46 @@
 clash:
    secret: ENC[AES256_GCM,data:0dikpMbntA==,iv:63yclHF0yUJXWr7/RN0RLMFmASD847i6WAplx6sfvGQ=,tag:Y7lw2sn34CEfAmzy/0IugA==,type:str]
    proxies:
        lightsail: ENC[AES256_GCM,data:YfyZsBi3yMIAMIjotAk4g4M+yYYozSSbKE77oz3lwbRHCMVJqxeo5nR04HrG8Hy2mQvVV09et1MbgnDMhEaSERZvsfaBojFUoRE6Du18n1ET8P1/ez5aKgC6ZnHy90a99mktqD4QDGNE8VDX2xBtNcVLF6i9dJ9di9tJEtnOdw+Q,iv:/uqtX6E2I0sqSWt2FmKwzG9zQb2TjdQqfDBZQXLh8cs=,tag:ofvc5GKEPrizajUaevI1jA==,type:str]
    proxy-providers:
        flyairport: ENC[AES256_GCM,data:x6li/5tWuAX9ZvLVUETLaBDqjB8pb8vSD9jD8HDMXNiiilq03RVHx7eXTiWMVJMlRUBOxvhTXH1fQxzye34aZQMx4BftMOQzvG5soF/P+K5hGapC9wbFnoH8znHkAdIgRLIeDBHRix3ll2OqGhqCENkWF4jjs/Pxqfz5bJlhcA==,iv:lO59riu5seloBRIy8QG02afNciEKvElzovLyaX90iSA=,tag:/L+elOLB2agQdRvg9tR0WQ==,type:str]
        efcloud: ENC[AES256_GCM,data:36mToXGiHVAgM4vVQFOYvNPaHHuVf4mtvnNOgMBTyzbZ/mKpT1Exx7rWZ7i9EVBy5eX7SJtKmnHs0CqD48hr7R708W2oW3YNPEfkK7aGDqfQFyS1TVjT+MM=,iv:+qiFyM10fcAjcdyVZCC+0hb83GYENooM52+1GPXpamQ=,tag:wZupiFJMQq8A5ZwJtjXiOg==,type:str]
        spcloud: ENC[AES256_GCM,data:gmJM+sTTaUrIxQXRBlDtE+K1gEfseMPUC2AQLq1LeY6iQmgq3wK7oJlz+buLbm/LUDitvls9d517905hz/Mpp2F7ohBeW9m1Jkcvdh/Zfgnfqg==,iv:FPe//+/ZMDZloZg2AnQ7JXRzqZdKDjLYs3wqMxqNA/Y=,tag:JPEU/WnUfy8bNlhAgPQwJw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaXJJdVlKb0lpa3pkZ0px
            UGwveFAydHBUMzdXOU5ibHRBNmg1VllUVWxBCkh5SWQrQUhFSFA2NHA2WWhhYXhV
            bFlteVVCM1M1VlRoakZ1UW1ENmJWM3cKLS0tIDdpZVo0Z2dQQ29DVnVOQU5kWkMy
            N2djZElOQUtINXY5bGJKZFROK1VpZWcKMQY/1i3yvoKhDUdkmvQ0boVHzh9vta1Z
            hz9WY8aYIMsa0PY71FuBMklOfNtaPKbewx9XXfLDetFLQ7tmWnIzFg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hm6pkvt4d640wmjhxg5wxfwkp9zhcqre9klr4zg5kx2qx7vyhuuqlytmnp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmVzFrcWdBNlYvdWRzNVNr
            T3YyQ3JBakRQcnd2MzMyNnN4Z3h0TkN3S1NvCmdCZnFaeVdFcCtoVzh6OGRnd2o3
            cVpxTCtpV1RYRjloUElLek9NcDlrMWsKLS0tIEdtZWVNUXY4VDAzSUxkUGhodjlJ
            UHFlbi9JYTBVYWIyOGZ6SnBZcWo4K1kK9TkNUwrKIywSaXoExUaBb3y4L5Gg+2CT
            0eI/CUL8LuYSSGeGRtypMPklHUQS4qV3UmXbnNSKctdLrNcDRperXg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1MHd3Qjl1ODJzVWlwN3VB
            L3ZFdVBPbmRzQUJBbWdiRUtqVzJYeVlHdkZJCit4YzExQ1UweXcrRkpVMEVKQlB3
            NGt0VHE1alFvSkJGKzU5ZzM5akFwUG8KLS0tIGdvNS9ZYWU4TXM2Y1hVbjl2Z3cy
            QStSb1FJb0xUUkV5cjg1Qk5ORDRQMzQKiTUdlCbgRX0zRPURsolB4O0dvxl9+lkn
            0cIBYnVxzSdlDj+TXnTR2zL2cqZg94cNaTz0qWk/kmkmgmqm80hZ7Q==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-07-09T22:04:17Z"
    mac: ENC[AES256_GCM,data:iKwYqxBllI8SydCUjyK2cJkcUKVj4CqjmfDSMNJtLwM6IWUoOScV4Pu0YJz0aui5F8nbyC92vdDwsE599GZMTWdCH20MeWEMo7pbkPFxxL1bY5BMCNNE3Tm354nz4ihmBXMB9aI1JRiSareV5yQ1v6lOxzDargDigMrPI/6DRfo=,iv:JRvJQ3YdFZsBstT55xKcCMGJODy42FImugHbwEbpV2I=,tag:go33lpTdouZoFk53g9FXTw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/nixos/profiles/opt-in/wireless/default.nix
+++ b/nixos/profiles/opt-in/wireless/default.nix
@ -0,0 +1,8 @@
 {lib, ...}: {
  sops.secrets = builtins.mapAttrs (_name: value: value // {sopsFile = ./secrets.yaml;}) {
    "wireless/wangxiaobo".path = "/var/lib/iwd/wangxiaobo.psk";
    "wireless/ImmortalWrt".path = "/var/lib/iwd/ImmortalWrt.psk";
  };
  networking.wireless.iwd.enable = lib.mkDefault true;
 }
--- a/nixos/profiles/opt-in/wireless/secrets.yaml
+++ b/nixos/profiles/opt-in/wireless/secrets.yaml
@ -0,0 +1,41 @@
 wireless:
    wangxiaobo: ENC[AES256_GCM,data:D9m+JRZ2Tw1a4mukW+WU3QLYIRiTiRkGz1ddD7zvkctbuYg+BZXtRgDR0FOIn586t0DsgA1wBDEN/WWiLRTrArgWTHiv7OsOa1NI7+BuL1cFb1TNbk04zbtc6cCOpDBH8qivx0jdZIqrJ5JzIaeZ9T78tj1jMmp3pyt3RiEcZLqxjnPiJhJVaZ8iUNDTvuX3DpsmqybYiLO+Hz7qvIHwM1euc/vyraZ2SR/y5DjTjwVK1jiAs3glPy2oYayVhv+RPs/AHVDnslbtPxGrPhRXxZT3t9LnBw+I0VgrdKUl39ym38PurGnVoBJ7EUVWl3SUPQjnDfQI/XQiDyI3DZ8uA5MGwlR9mny5N/ojs+q7J/k4YiSThCasA5tA24SNRZQWI9lFevoortU+is9FTTGkfzgrrcuURDs6E3ShbbHgn4tvHPhB87J1mP9D7UMIFFfVyvqp5fRgBMHcrEA8xln2xvvQdRDDj/JJYIj3ex8PpTqvAi1EwnAFWhBgqIchcHRFcfQRWOsR7h8M1UQpnge85UZfePMropq5zJ3TSF4AKa2A4UqhgkvLm8qrMI1lvsEnH4TMoyV5Z59T4sPd4Eb3FV26wey6DTdw6cCuywh0AQ==,iv:nbD9EcQYaAf4XwvTLKRy+IjTkV7aHsHK+gBD/Ooc/l8=,tag:VHD3X0ONH4YTp/BTcnpLDQ==,type:str]
    ImmortalWrt: ENC[AES256_GCM,data:xMQtz/XklFZnT9HzD464f6Hh4Yz6LnfEV2A9xQzXgbKygKX8MZd1DN1+axtg0SBWEFevEYJ8hZJJjYbUd1LM2m7p51w8tBb+NeaunI2gl1DGcd7jyacH/Z3sTOFr0Lh9zfPSo8XAc3rP1tRyEDClc6AAjH72adGfBR83ZFvBlq80/uIbBULm53H+MqBm+ak9bRPiom3mv8e4CdwTcAHzfA2iYYGwOr3J/vRBeRaenhz01wXnmVDIOh50/wP4ttw5iEAsqjJnVG2G4oMbVFbHumNNC97/FAiZ1SSES5MVjLl9i4RYlTnS/ypuUci0qQUvi0PBDC1cYrkHtfP1OUnRopqPcKIFk5tCbOOgxSLI6GOoPT8+98M4xRI5WA9v3DKlTEzsqOAlhSOcRTiQFc+YVAo75jMBi3dsOUVYM2NvYNIw7aKuNcWuvgFsMadO+GELLiix94wecupV/Ruve+fJTxIiJsiTbZdqTCkb257VApVA4P/eMSgbHIu1MnYCRzccfQiEpEXq7SGLy9WHXfulqKSXMuZB/ai756cuV1jf1+h/ZniA+A/K8c5n6QzFWTa6pgRcIR2NP2IvldpF49aSbVCZZWD8lmnhrQmxgIxarHJW,iv:Pj9se0zKfvtoAM5FcWa99/DJ4VCFAJjDhEN8wfW51gU=,tag:fM+IBDGY56LVSZhBnHqoYA==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age129yyxyz686qj88ce5v77ahelqqwt6zz94mzzls0ny4hq76psrd9qhc79kq
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtSktSV1ByUnF2TGJaMzh3
            a3RoaHptWHF1MjdsUFc5R2pySEFYa1IzQVE0CjZoUkVhaktldDJvL2dmRjdGa1B5
            MEtoUHpoaENNUVRtS3B4aXJQMHNCT2sKLS0tIGd5dEt0RWpkd3ZPVGkvM1JWWUdh
            ZDBtRFJTMlZmUmtlNVc3ZW5oa3V0WGsKcqjqj+oPnGxAzeWpPYSpBBfS9GhN+O4/
            Mt9NT1LWfiUDhxz5GYmcLKe1tRNXpGeG02HcY65WgcVd1Y7n4mMJRA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hm6pkvt4d640wmjhxg5wxfwkp9zhcqre9klr4zg5kx2qx7vyhuuqlytmnp
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZnRDOHZ1MWViV0dhS3JO
            dmY2N2lyVHUxNmZnMStpcFMwbzMyZXBaaEJZCjZqWk0rOEdnMVNLTVRHMDNzUm5u
            OFZTV2ZGTFQ5QlQrM3gzNUhQQ2xXMkEKLS0tIGUzeTEwZmYxekQ0cTJrU2Vhb3Zp
            M2FjUFFrREphODFQUm1kRlJNOGRpTTQKF7k5/oPjoILtFEf2sO6nnF0Ar6ebTN3r
            TdXYtTek0sIlSdYfVSxLmhiymz2mKi7TKPcKH6POmp0uuVX8HFEAJg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age174knn6hjtukp32ymcdvjwj6x0j54g7yw02dqfjmua3fkyltwcqrsxccjdk
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6eWIvamwrRGthdzlYRmJm
            SjNQTG92TzlvckJCMTM3SytHdUVodVJFYkVJCmRLSjg5TGF4RkZ1WitRNVVrSlNT
            ZnQ5TnRPTGI5Uk1vaWpvMWh2NHR4NmsKLS0tIFRtbm5Kemo1WVMyMFZ3SDAwdDBn
            dEN1cEJFZU82bVFRVlVqcTIzckRHQjgKHgRyq4UOcZyiFnK9fq1NLtxRktFCs3V8
            EQhl+CPWTRZTZkttJ5MclGlvTNbiH3Iy9syKns6qvOw75wqtXIdIWQ==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2024-07-10T08:37:51Z"
    mac: ENC[AES256_GCM,data:M892yzbmOSiDdifD1kRreBR/+JwMneIZjvCXC90osBogFEmUtf9W6M3xeYmbTobgE/chy9O9yn6CVDt9OucU+sT7o2oUpbOHVulJnwstBuUJGQAEwhyolQP5YRiGRxQzdPG6dqLUkKlsi44pm4dNtDLHFPE0j1wA0PD1fhrH4Y0=,iv:P+ne5UD5F62NW0xYndCDEzR0e7qo0COwDY0iNb2bKUo=,tag:uZfOsrZuSMYdY2zqFhqiyw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/Show more
+++ b/Show more
Author	SHA1	Message	Date
Guanran Wang	7be816cc69	home/mpv: remove sponsorblock	2024-07-20 17:04:44 +08:00
Guanran Wang	135c6ff938	home/sway: actually unset immodule variables	2024-07-20 17:04:44 +08:00
Guanran Wang	37349c9afc	home/mpv: add anime4k	2024-07-20 17:04:44 +08:00
Guanran Wang	68f3313abd	home: move flake repo directory	2024-07-20 17:04:44 +08:00
Guanran Wang	14b75192cc	tyo0/miniflux: use keycloak oidc	2024-07-20 17:04:43 +08:00
Guanran Wang	3da9f0deea	nixos/caddy: cleanup	2024-07-20 17:04:43 +08:00
Guanran Wang	cbf8c81130	lightsail-tokyo/element-web: 1.11.70 -> 1.11.71	2024-07-20 17:04:43 +08:00
Guanran Wang	8525993f85	flake: update lock file	2024-07-20 17:04:43 +08:00
Guanran Wang	60058d43c3	lightsail-tokyo/forgejo: set ssh domain for cdn	2024-07-20 17:04:43 +08:00
Guanran Wang	863f233dcb	treewide: cleanup	2024-07-20 17:04:43 +08:00
Guanran Wang	8187a57f01	aristotle: cleanup	2024-07-20 17:04:43 +08:00
Guanran Wang	7aa07d02fa	nixos: unblock bots	2024-07-20 17:04:42 +08:00
Guanran Wang	cd183f00bd	home/fonts: perfer source-{sans,serif} over noto-{sans,serif}	2024-07-20 17:04:42 +08:00
Guanran Wang	9c74f706e5	lightsail-tokyo: add libreddit	2024-07-20 17:04:42 +08:00
Guanran Wang	fa8108f522	flake: unbreak `nix flake check`	2024-07-20 17:04:42 +08:00
Guanran Wang	252925cb55	lightsail-tokyo: cleanup caddyfile	2024-07-20 17:04:42 +08:00
Guanran Wang	852b2df205	pixivfe: move to ./pkgs	2024-07-20 17:04:42 +08:00
Guanran Wang	7a29d71c7f	lightsail-tokyo: add miniflux	2024-07-20 17:04:42 +08:00
Guanran Wang	e8d2deacd7	flake/colmena: cleanup	2024-07-20 17:04:41 +08:00
Guanran Wang	6d2ac829f4	nixos/core: enable zram by default	2024-07-20 17:04:41 +08:00
Guanran Wang	a779cb029f	nixos/wireless: fix ssid	2024-07-20 17:04:41 +08:00
Guanran Wang	7ffcdce70f	aristotle: disable xserver	2024-07-20 17:04:41 +08:00
Guanran Wang	b6c7998ff6	hosts: socrates -> enchilada	2024-07-20 17:04:41 +08:00
Guanran Wang	a42123d35f	home/fonts: cleanup	2024-07-20 17:04:41 +08:00
Guanran Wang	16f0af6e1a	nixos/nix: cleanup	2024-07-20 17:04:41 +08:00
Guanran Wang	f883c2526f	nixos: have less fun	2024-07-20 17:04:40 +08:00
Guanran Wang	bd7f51b7b1	treewide: cleanup	2024-07-20 17:04:40 +08:00
Guanran Wang	b23abd8a85	nix: cleanup substituters	2024-07-20 17:04:40 +08:00
Guanran Wang	0e41e653a4	flake: update lock file	2024-07-20 17:04:40 +08:00
Guanran Wang	a20a63696f	home/gaming: enable sdl3 for osu-lazer	2024-07-20 17:04:40 +08:00
Guanran Wang	a31c38d2e5	darwin: unbreak	2024-07-20 17:04:40 +08:00
Guanran Wang	d86e047588	home/fish: cleanup plugins those seems to be not working for some unknown reasons	2024-07-20 17:04:40 +08:00
Guanran Wang	330ed148a4	home/sway: use grimshot	2024-07-20 17:04:39 +08:00
Guanran Wang	708f1e60b7	scripts/screenshot: fix replace matching	2024-07-20 17:04:39 +08:00
Guanran Wang	e7029ac06b	home: add kanshi	2024-07-20 17:04:39 +08:00
Guanran Wang	6a986e4a0d	home: rofi -> wmenu	2024-07-20 17:04:39 +08:00
Guanran Wang	09b7862c23	nixos/nix: disable unwanted options	2024-07-20 17:04:35 +08:00
Guanran Wang	3c31179572	hosts/aristotle: support external output	2024-07-20 17:04:31 +08:00
Guanran Wang	4b26ce620d	home/sway: new wallpaper	2024-07-20 17:04:31 +08:00
Guanran Wang	b8faf1e1a4	home/foot: fix sway floating mode	2024-07-20 17:04:31 +08:00
Guanran Wang	fd310f94b9	flake: update lock file	2024-07-20 17:04:31 +08:00
Guanran Wang	27d8675ce6	flake: switch to self-hosted git	2024-07-20 17:04:28 +08:00
Guanran Wang	39598c2e1a	home: switch to tmux	2024-07-20 17:04:28 +08:00
Guanran Wang	b325e7c3a8	blacksteel: add external drive	2024-07-20 17:04:24 +08:00
Guanran Wang	4074357178	home: add jq	2024-07-07 23:03:32 +08:00
Guanran Wang	7663238d87	git: enable push.autoSetupRemote	2024-07-07 23:03:32 +08:00
Guanran Wang	ae7c690fe1	bat: don't set as pager	2024-07-07 23:03:32 +08:00
Guanran Wang	d3bb3d3d15	home/fcitx5: use qt6 version :( qtwebengine: 5.15.17 → 6.7.2, +156144.3 KiB	2024-07-07 23:03:31 +08:00
Guanran Wang	e09f95921d	flake: update lock file	2024-07-07 23:03:31 +08:00
Guanran Wang	4092bd105b	secrets: update access token	2024-07-07 23:03:31 +08:00
Guanran Wang	cb8d0f3995	home/nix: update tooling	2024-07-07 23:03:31 +08:00
Guanran Wang	855099c3c6	flake: update lock file	2024-07-07 23:03:31 +08:00
Guanran Wang	724f4b443d	home: avoid xresources	2024-07-07 23:03:31 +08:00
Guanran Wang	045bf55f6c	flake: update lock file	2024-07-07 23:03:30 +08:00
Guanran Wang	4055e7432a	home/{firefox,thunderbird}: remove ifd	2024-07-07 23:03:30 +08:00
Guanran Wang	f48525552d	scripts: runCommandNoCCLocal -> runCommandLocal	2024-07-07 23:03:30 +08:00
Guanran Wang	d2babea88d	scripts: add meta.mainProgram	2024-07-07 23:03:30 +08:00
Guanran Wang	b1f18fef38	home: alacritty -> foot	2024-07-07 23:03:30 +08:00
Guanran Wang	6626a9e174	overlays: drop prismlauncher offline mode	2024-07-07 23:03:29 +08:00
Guanran Wang	2e80ded63b	home/gtk: fix font on gnome	2024-07-07 23:03:29 +08:00
Guanran Wang	c4a2d05bf4	nixos: frp -> cloudflared	2024-07-07 23:03:29 +08:00
Guanran Wang	d081798ded	scripts: use makeScope	2024-07-07 23:03:29 +08:00
Guanran Wang	a5103666f1	home/starship: remove ifd	2024-07-07 23:03:29 +08:00
Guanran Wang	26d0df9748	home/mpv: revert wrapper workaround	2024-07-07 23:03:28 +08:00
Guanran Wang	e9200310c9	fixup! treewide: remove unused files	2024-07-07 23:03:28 +08:00
Guanran Wang	5bcab213fc	flake: add devShells	2024-07-07 23:03:28 +08:00
Guanran Wang	1097ed7242	nixos: dont use keycloak master realm	2024-07-07 23:03:28 +08:00
Guanran Wang	0dda3e5395	home: remove colorschemes	2024-07-07 23:03:28 +08:00
Guanran Wang	c9dae1ddec	flake: update lock file	2024-07-07 23:03:28 +08:00
Guanran Wang	0f4ddb8924	fixup! nixos: mark ifd as fixme	2024-07-07 23:03:27 +08:00
Guanran Wang	301d91ec13	nixos/frp: don't expose secrets	2024-07-07 23:03:27 +08:00
Guanran Wang	ad037b6f6a	blacksteel/matrix-synapse: use unix socket	2024-07-07 23:03:27 +08:00
Guanran Wang	a4f013938e	nixos: use cloudflare cdn	2024-07-07 23:03:25 +08:00