massicot: switch to ssd

machines/massicot/kanidm-provision.nix

@@ -37,6 +37,7 @@
           "xin"
           "zhuo"
           "ycm"
+          "yzl"
         ];
       };
       grafana-superadmins = {
@@ -73,6 +74,11 @@
         displayName = "Chunming";
         mailAddresses = [ "chunmingyou@gmail.com" ];
       };
+
+      yzl = {
+        displayName = "Zhengli Yang";
+        mailAddresses = [ "13391935399@189.cn" ];
+      };
     };
     systems.oauth2 = {
       forgejo = {

machines/massicot/services.nix

@@ -268,15 +268,33 @@ in
     virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
       reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
     '';
-    virtualHosts."https://auth.xinyang.life".extraConfig = ''
-      reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
-          header_up Host {upstream_hostport}
-          header_down Access-Control-Allow-Origin "*"
-          transport http {
-              tls_server_name ${config.services.kanidm.serverSettings.domain}
+    virtualHosts."https://auth.xinyang.life".extraConfig =
+      let
+        reverseProxyKanidm = ''
+          reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
+              header_up Host {upstream_hostport}
+              header_down Access-Control-Allow-Origin "*"
+              transport http {
+                  tls_server_name ${config.services.kanidm.serverSettings.domain}
+              }
           }
-      }
-    '';
+        '';
+      in
+      ''
+        reverse_proxy /oauth2/openid/owncloud/userinfo https://127.0.0.1:${toString kanidm_listen_port} {
+            header_up Host {upstream_hostport}
+            header_down Access-Control-Allow-Origin "*"
+            transport http {
+                tls_server_name ${config.services.kanidm.serverSettings.domain}
+            }
+            @error status 400
+            handle_response @error {
+                rewrite /oauth2/openid/owncloud/userinfo /oauth2/openid/owncloud-android/userinfo
+                ${reverseProxyKanidm}
+            }
+        }
+        ${reverseProxyKanidm}
+      '';
 
     virtualHosts."https://rss.xinyang.life".extraConfig = ''
       reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR}

machines/massicot/services/restic.nix

@@ -5,9 +5,9 @@
   ...
 }:
 let
-  sqliteBackup = path: ''
-    mkdir -p /backup${path}
-    ${lib.getExe pkgs.sqlite} ${path} "vacuum into '/var/backup${path}'"
+  sqliteBackup = fromPath: toPath: file: ''
+    mkdir -p ${toPath}
+    ${lib.getExe pkgs.sqlite} ${fromPath} ".backup '${toPath}/${file}'"
   '';
 in
 {
@@ -25,7 +25,7 @@ in
     repositoryFile = config.sops.secrets."restic/repo".path;
     passwordFile = config.sops.secrets."restic/password".path;
     paths = [
-      "/var/backup"
+      "/backup"
       "/mnt/storage"
     ];
   };
@@ -34,15 +34,15 @@ in
     enable = true;
     compression = "zstd";
     compressionLevel = 9;
-    location = "/var/backup/postgresql";
+    location = "/backup/postgresql";
   };
 
   services.restic.backups.${config.networking.hostName} = {
     backupPrepareCommand = builtins.concatStringsSep "\n" [
-      (sqliteBackup "/var/lib/hedgedoc/db.sqlite")
-      (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3")
-      (sqliteBackup "/var/lib/gotosocial/database.sqlite")
-      (sqliteBackup "/var/lib/kanidm/kanidm.db")
+      (sqliteBackup "/var/lib/hedgedoc/db.sqlite" "/backup/hedgedoc" "db.sqlite")
+      (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3" "/backup/bitwarden_rs" "db.sqlite3")
+      (sqliteBackup "/var/lib/gotosocial/database.sqlite" "/backup/gotosocial" "database.sqlite")
+      (sqliteBackup "/var/lib/kanidm/kanidm.db" "/backup/kanidm" "kanidm.db")
     ];
     extraBackupArgs = [
       "--limit-upload=1024"