massicot,fix: switch to fix drive

2024-09-14 16:33:01 +08:00 · 2024-09-14 16:33:01 +08:00 · 5104c5943e
commit 5104c5943e
parent 37f59db944
16 changed files with 512 additions and 248 deletions
--- a/flake.lock
+++ b/flake.lock
@ -116,11 +116,11 @@
    },
    "catppuccin": {
      "locked": {
-        "lastModified": 1724469296,
-        "narHash": "sha256-p3R4LUNk6gC+fTKRUm9ByXaoRIocnQMwVuJSIxECQ8o=",
+        "lastModified": 1725509983,
+        "narHash": "sha256-NHCgHVqumPraFJnLrkanoLDuhOoUHUvRhvp/RIHJR+A=",
        "owner": "catppuccin",
        "repo": "nix",
-        "rev": "874e668ddaf3687e8d38ccd0188a641ffefe1cfb",
+        "rev": "45745fe5960acaefef2b60f3455bcac6a0ca6bc9",
        "type": "github"
      },
      "original": {
@ -433,11 +433,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1725180166,
-        "narHash": "sha256-fzssXuGR/mCeGbzM1ExaTqDz7QDGta3WA4jJsZyRruo=",
+        "lastModified": 1725694918,
+        "narHash": "sha256-+HsjshXpqNiJHLaJaK0JnIicJ/a1NquKcfn4YZ3ILgg=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "471e3eb0a114265bcd62d11d58ba8d3421ee68eb",
+        "rev": "aaebdea769a5c10f1c6e50ebdf5924c1a13f0cda",
        "type": "github"
      },
      "original": {
@ -468,6 +468,27 @@
        "type": "github"
      }
    },
+    "home-manager_3": {
+      "inputs": {
+        "nixpkgs": [
+          "stylix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726036828,
+        "narHash": "sha256-ZQHbpyti0jcAKnwQY1lwmooecLmSG6wX1JakQ/eZNeM=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "8a1671642826633586d12ac3158e463c7a50a112",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "my-nixvim": {
      "inputs": {
        "flake-parts": "flake-parts",
@ -543,11 +564,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1725241396,
-        "narHash": "sha256-b4YfdCTuVLmrTGt8M44T+k0+rwRhBDXYKPhQR9o6LxU=",
+        "lastModified": 1725672853,
+        "narHash": "sha256-z1O6dzCJ27OZpF680tZL0mQphQETdg4DTryvhFOpZyA=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "36fbe64e2b1b879871d896e94d560691ec88c08b",
+        "rev": "efd33fc8e5a149dd48d86ca6003b51ab3ce4ae21",
        "type": "github"
      },
      "original": {
@ -558,11 +579,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1724878143,
-        "narHash": "sha256-UjpKo92iZ25M05kgSOw/Ti6VZwpgdlOa73zHj8OcaDk=",
+        "lastModified": 1725477728,
+        "narHash": "sha256-ahej1VRqKmWbG7gewty+GlrSBEeGY/J2Zy8Nt8+3fdg=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "95c3dfe6ef2e96ddc1ccdd7194e3cda02ca9a8ef",
+        "rev": "880be1ab837e1e9fe0449dae41ac4d034694d4ce",
        "type": "github"
      },
      "original": {
@ -602,11 +623,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1725001927,
-        "narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=",
+        "lastModified": 1725407940,
+        "narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "6e99f2a27d600612004fbd2c3282d614bfee6421",
+        "rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3",
        "type": "github"
      },
      "original": {
@ -634,11 +655,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1725246338,
-        "narHash": "sha256-a1niN+9XVfG5PjokF5n/yPv9PunUoQFMV2btjAjy/OI=",
+        "lastModified": 1726296585,
+        "narHash": "sha256-inm7AIEqfgF4wXkhWB2M5IfmdITSF90xpeDDSU3DfNc=",
        "owner": "xinyangli",
        "repo": "nixpkgs",
-        "rev": "1e6e46dcf84c3218120d7080c4eca68cf36fd629",
+        "rev": "8539edfb09c674994303141378df4ab33cd765ad",
        "type": "github"
      },
      "original": {
@ -648,6 +669,22 @@
        "type": "github"
      }
    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1726042813,
+        "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixvim": {
      "inputs": {
        "devshell": "devshell",
@ -676,11 +713,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1725248798,
-        "narHash": "sha256-6VVKFwDGBq/waWWkEwQfA3u9smxOeFjzA/f+wKtph2M=",
+        "lastModified": 1725687722,
+        "narHash": "sha256-LPv282y5okYk8ebiBsEbDXy2WykwdBPpAthjKSmTfNI=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "6cac52982b36c11c5d447a5511d84b295783b94f",
+        "rev": "ff7f8143f33751c4f37caec678ed1eb63006c0d3",
        "type": "github"
      },
      "original": {
@ -737,11 +774,11 @@
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
-        "lastModified": 1725201042,
-        "narHash": "sha256-lj5pxOwidP0W//E7IvyhbhXrnEUW99I07+QpERnzTS4=",
+        "lastModified": 1725540166,
+        "narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "5db5921e40ae382d6716dce591ea23b0a39d96f7",
+        "rev": "d9d781523a1463965cd1e1333a306e70d9feff07",
        "type": "github"
      },
      "original": {
@ -762,12 +799,8 @@
        "flake-compat": "flake-compat_4",
        "flake-utils": "flake-utils_3",
        "gnome-shell": "gnome-shell",
-        "home-manager": [
-          "home-manager"
-        ],
-        "nixpkgs": [
-          "nixpkgs"
-        ],
+        "home-manager": "home-manager_3",
+        "nixpkgs": "nixpkgs_3",
        "systems": "systems_3"
      },
      "locked": {
--- a/flake.nix
+++ b/flake.nix
@ -55,8 +55,8 @@

    stylix = {
      url = "github:xinyangli/stylix";
-      inputs.nixpkgs.follows = "nixpkgs";
-      inputs.home-manager.follows = "home-manager";
+      # inputs.nixpkgs.follows = "nixpkgs";
+      # inputs.home-manager.follows = "home-manager";
    };
  };

@ -83,7 +83,7 @@
          ];
        };
      deploymentModule = {
-        deployment.targetUser = "xin";
+        deployment.targetUser = "root";
      };
      sharedColmenaModules = [
        self.nixosModules.default
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@ -12,6 +12,7 @@
    ./hardware-configuration.nix
    ./networking.nix
    ./services.nix
+    ./services
  ];

  sops = {
@ -50,13 +51,13 @@
    efiSupport = true;
    configurationLimit = 5;
  };
-
-  fileSystems."/mnt/storage" = {
-    device = "//u380335-sub1.your-storagebox.de/u380335-sub1";
-    fsType = "cifs";
-    options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ];
-  };
-
+  #
+  # fileSystems."/mnt/storage" = {
+  #   device = "//u380335-sub1.your-storagebox.de/u380335-sub1";
+  #   fsType = "cifs";
+  #   options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ];
+  # };
+  #
  environment.systemPackages = with pkgs; [
    cifs-utils
    git
--- a/machines/massicot/hardware-configuration.nix
+++ b/machines/massicot/hardware-configuration.nix
@ -16,8 +16,17 @@
  ];
  boot.initrd.kernelModules = [ "nvme" ];
  fileSystems."/" = {
-    device = "/dev/sda1";
+    device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_35068215-part1";
    fsType = "ext4";
  };

+  fileSystems."/mnt/storage" = {
+    device = "/dev/disk/by-id/scsi-0HC_Volume_101302395";
+    fsType = "btrfs";
+    options = [
+      "subvol=storage"
+      "compress=zstd"
+      "noatime"
+    ];
+  };
 }
--- a/machines/massicot/kanidm-provision.nix
+++ b/machines/massicot/kanidm-provision.nix
@ -1,175 +1,214 @@
+{ config, lib, ... }:
 {
-  enable = true;
-  autoRemove = true;
-  groups = {
-    forgejo-access = {
-      members = [ "xin" ];
-    };
-    forgejo-admin = {
-      members = [ "xin" ];
-    };
-    gts-users = {
-      members = [ "xin" ];
-    };
-    ocis-users = {
-      members = [ "xin" ];
-    };
-    linux_users = {
-      members = [ "xin" ];
-    };
-    hedgedoc-users = {
-      members = [ "xin" ];
-    };
-    immich-users = {
-      members = [
-        "xin"
-        "zhuo"
-        "ycm"
-      ];
-    };
-    grafana-superadmins = {
-      members = [ "xin" ];
-    };
-    grafana-admins = {
-      members = [ "xin" ];
-    };
-    grafana-editors = {
-      members = [ "xin" ];
-    };
-    grafana-users = {
-      members = [ "xin" ];
-    };
-    miniflux-users = {
-      members = [ "xin" ];
-    };
-    idm_people_self_mail_write = {
-      members = [ ];
+  sops.secrets = {
+    "kanidm/ocis_android_secret" = {
+      owner = "kanidm";
    };
  };
-  persons = {
-    xin = {
-      displayName = "Xinyang Li";
-      mailAddresses = [ "lixinyang411@gmail.com" ];
-    };
-
-    zhuo = {
-      displayName = "Zhuo";
-      mailAddresses = [ "13681104320@163.com" ];
-    };
-
-    ycm = {
-      displayName = "Chunming";
-      mailAddresses = [ "chunmingyou@gmail.com" ];
-    };
+  systemd.services.kanidm.serviceConfig = {
+    BindReadOnlyPaths = [
+      config.sops.secrets."kanidm/ocis_android_secret".path
+    ];
  };
-  systems.oauth2 = {
-    forgejo = {
-      displayName = "ForgeJo";
-      originUrl = "https://git.xinyang.life/";
-      originLanding = "https://git.xinyang.life/user/oauth2/kandim";
-      allowInsecureClientDisablePkce = true;
-      scopeMaps = {
-        forgejo-access = [
-          "openid"
-          "email"
-          "profile"
-          "groups"
+  services.kanidm.provision = {
+    enable = true;
+    autoRemove = true;
+    groups = {
+      forgejo-access = {
+        members = [ "xin" ];
+      };
+      forgejo-admin = {
+        members = [ "xin" ];
+      };
+      gts-users = {
+        members = [ "xin" ];
+      };
+      ocis-users = {
+        members = [ "xin" ];
+      };
+      linux_users = {
+        members = [ "xin" ];
+      };
+      hedgedoc-users = {
+        members = [ "xin" ];
+      };
+      immich-users = {
+        members = [
+          "xin"
+          "zhuo"
+          "ycm"
        ];
      };
-      claimMaps = {
-        forgejo_role = {
-          joinType = "array";
-          valuesByGroup = {
-            forgejo-access = [ "Access" ];
-            forgejo-admin = [ "Admin" ];
+      grafana-superadmins = {
+        members = [ "xin" ];
+      };
+      grafana-admins = {
+        members = [ "xin" ];
+      };
+      grafana-editors = {
+        members = [ "xin" ];
+      };
+      grafana-users = {
+        members = [ "xin" ];
+      };
+      miniflux-users = {
+        members = [ "xin" ];
+      };
+      idm_people_self_mail_write = {
+        members = [ ];
+      };
+    };
+    persons = {
+      xin = {
+        displayName = "Xinyang Li";
+        mailAddresses = [ "lixinyang411@gmail.com" ];
+      };
+
+      zhuo = {
+        displayName = "Zhuo";
+        mailAddresses = [ "13681104320@163.com" ];
+      };
+
+      ycm = {
+        displayName = "Chunming";
+        mailAddresses = [ "chunmingyou@gmail.com" ];
+      };
+    };
+    systems.oauth2 = {
+      forgejo = {
+        displayName = "ForgeJo";
+        originUrl = "https://git.xinyang.life/";
+        originLanding = "https://git.xinyang.life/user/oauth2/kandim";
+        allowInsecureClientDisablePkce = true;
+        scopeMaps = {
+          forgejo-access = [
+            "openid"
+            "email"
+            "profile"
+            "groups"
+          ];
+        };
+        claimMaps = {
+          forgejo_role = {
+            joinType = "array";
+            valuesByGroup = {
+              forgejo-access = [ "Access" ];
+              forgejo-admin = [ "Admin" ];
+            };
          };
        };
      };
-    };
-    gts = {
-      displayName = "GoToSocial";
-      originUrl = "https://xinyang.life/";
-      originLanding = "https://xinyang.life/";
-      allowInsecureClientDisablePkce = true;
-      scopeMaps = {
-        gts-users = [
-          "openid"
-          "email"
-          "profile"
-          "groups"
-        ];
+      gts = {
+        displayName = "GoToSocial";
+        originUrl = "https://xinyang.life/";
+        originLanding = "https://xinyang.life/";
+        allowInsecureClientDisablePkce = true;
+        scopeMaps = {
+          gts-users = [
+            "openid"
+            "email"
+            "profile"
+            "groups"
+          ];
+        };
      };
-    };
-    owncloud = {
-      displayName = "ownCloud";
-      originUrl = "https://home.xinyang.life:9201/";
-      originLanding = "https://home.xinyang.life:9201/";
-      public = true;
-      scopeMaps = {
-        ocis-users = [
-          "openid"
-          "email"
-          "profile"
-        ];
+      owncloud = {
+        displayName = "ownCloud";
+        originUrl = "https://drive.xinyang.life:8443/";
+        originLanding = "https://drive.xinyang.life:8443/";
+        public = true;
+        preferShortUsername = true;
+        scopeMaps = {
+          ocis-users = [
+            "openid"
+            "email"
+            "profile"
+          ];
+        };
      };
-    };
-    hedgedoc = {
-      displayName = "HedgeDoc";
-      originUrl = "https://docs.xinyang.life/";
-      originLanding = "https://docs.xinyang.life/auth/oauth2";
-      allowInsecureClientDisablePkce = true;
-      scopeMaps = {
-        hedgedoc-users = [
-          "openid"
-          "email"
-          "profile"
+
+      owncloud-android = {
+        displayName = "ownCloud Apps";
+        originLanding = "https://drive.xinyang.life:8443/";
+        originUrl = [
+          "http://localhost/"
+          "http://127.0.0.1/"
+          "oc://android.owncloud.com"
        ];
+        basicSecretFile = config.sops.secrets."kanidm/ocis_android_secret".path;
+        preferShortUsername = true;
+        scopeMaps = {
+          ocis-users = [
+            "openid"
+            "email"
+            "profile"
+            "offline_access"
+          ];
+        };
      };
-    };
-    immich-mobile = {
-      displayName = "Immich";
-      originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
-      originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
-      allowInsecureClientDisablePkce = true;
-      scopeMaps = {
-        immich-users = [
-          "openid"
-          "email"
-          "profile"
+
+      hedgedoc = {
+        displayName = "HedgeDoc";
+        originUrl = "https://docs.xinyang.life/";
+        originLanding = "https://docs.xinyang.life/auth/oauth2";
+        allowInsecureClientDisablePkce = true;
+        scopeMaps = {
+          hedgedoc-users = [
+            "openid"
+            "email"
+            "profile"
+          ];
+        };
+      };
+      immich = {
+        displayName = "Immich";
+        originUrl = [
+          "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"
+          "https://immich.xinyang.life:8000/auth/login/"
+          "https://immich.xinyang.life:8000/user-settings/"
        ];
+        originLanding = "https://immich.xinyang.life:8000/auth/login?autoLaunch=0";
+        allowInsecureClientDisablePkce = true;
+        scopeMaps = {
+          immich-users = [
+            "openid"
+            "email"
+            "profile"
+          ];
+        };
      };
-    };
-    miniflux = {
-      displayName = "Miniflux";
-      originUrl = "https://rss.xinyang.life/";
-      originLanding = "https://rss.xinyang.life/";
-      scopeMaps = {
-        miniflux-users = [
-          "openid"
-          "email"
-          "profile"
-        ];
+      miniflux = {
+        displayName = "Miniflux";
+        originUrl = "https://rss.xinyang.life/";
+        originLanding = "https://rss.xinyang.life/";
+        scopeMaps = {
+          miniflux-users = [
+            "openid"
+            "email"
+            "profile"
+          ];
+        };
      };
-    };
-    grafana = {
-      displayName = "Grafana";
-      originUrl = "https://grafana.xinyang.life/";
-      originLanding = "https://grafana.xinyang.life/";
-      scopeMaps = {
-        grafana-users = [
-          "openid"
-          "email"
-          "profile"
-          "groups"
-        ];
-      };
-      claimMaps = {
-        grafana_role = {
-          joinType = "array";
-          valuesByGroup = {
-            grafana-superadmins = [ "GrafanaAdmin" ];
-            grafana-admins = [ "Admin" ];
-            grafana-editors = [ "Editor" ];
+      grafana = {
+        displayName = "Grafana";
+        originUrl = "https://grafana.xinyang.life/";
+        originLanding = "https://grafana.xinyang.life/";
+        scopeMaps = {
+          grafana-users = [
+            "openid"
+            "email"
+            "profile"
+            "groups"
+          ];
+        };
+        claimMaps = {
+          grafana_role = {
+            joinType = "array";
+            valuesByGroup = {
+              grafana-superadmins = [ "GrafanaAdmin" ];
+              grafana-admins = [ "Admin" ];
+              grafana-editors = [ "Editor" ];
+            };
          };
        };
      };
--- a/machines/massicot/networking.nix
+++ b/machines/massicot/networking.nix
@ -1,19 +1,12 @@
 { pkgs, ... }:
 {
-  networking = {
-    interfaces = {
-      eth0.useDHCP = true;
-      eth0.ipv6.addresses = [
-        {
-          address = "2a01:4f8:c17:345f::1";
-          prefixLength = 64;
-        }
-      ];
-    };
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "eth0";
-    };
-    nameservers = [ ];
+  networking.useNetworkd = true;
+  systemd.network.networks."10-wan" = {
+    matchConfig.MACAddress = "96:00:02:68:7d:2d";
+    networkConfig.DHCP = "ipv4";
+    networkConfig.Gateway = "fe80::1";
+    address = [
+      "2a01:4f8:c17:345f::3/64"
+    ];
  };
 }
--- a/machines/massicot/secrets.yaml
+++ b/machines/massicot/secrets.yaml
@ -1,11 +1,17 @@
 storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str]
 gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str]
-hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str]
+hedgedoc_env: ENC[AES256_GCM,data:+rjEctM6IJUpn7WcAnBS9TkQi2lCq4wKPxbaOApffH0tFyu56SpECrLpmM749I7th3N+UGb0pLM7+Ywr7fbuuMfUuIWom6Y+CKYw4yMlgjzTaaNqBmstvMxLaPnmA01G9ie1rQ==,iv:YBIyQQ6xiUyxSnR5epE5hV9OqETLKC5CFTEaRJdErGU=,tag:77kHYQ2i2APVyadhMhmvWA==,type:str]
 grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str]
 miniflux:
    oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str]
 forgejo:
    env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str]
+restic:
+    repo: ENC[AES256_GCM,data:/vybkTU7LMWSlco9W2pJouU9wm4okXClSHXQMCA6SGIHWp4Ppl6C+jS4sNJALc6ntKzcEHyWO/R3JPjQKjZNH4YtrnNQp/ZY9g==,iv:gAvp6blg5JuBKzLw6YSgM1Uc24Aesov3ttCRXZXBvJw=,tag:pvH1y6BFOl7jIn/qQejUbQ==,type:str]
+    password: ENC[AES256_GCM,data:5eIIBtGtBFwcAQ+ZwTYOtg==,iv:3GEM8Imu0i1aTwwSspvz2EzwJOXUC/b15hzkFFuZ+YY=,tag:wscba+nMtshldgUtcEKnOw==,type:str]
+kanidm:
+    ocis_android_secret: ENC[AES256_GCM,data:vuEIvBEhIME+C/s3xoskddtf5nogC9nPq+HUyyAl3u9nvH3bTzUkfE/1wolaCLeeupnD3pDokdRyKzjEmoZACQ==,iv:cmx/0i23p1uEI0oAiWdcvGRq4+075+VuAMkFSfXzfso=,tag:yVnqz16L5kyW9vAVng53pA==,type:str]
+    ocis_desktop_secret: ENC[AES256_GCM,data:WTfUQzTB9An9p9xof2nuIkD5mYzMaisS62Cv86zX05rkB/wXmTnZiY7ztUoN9OmhGoPgeZg0+d+Jo6bV1hoqlw==,iv:V4iqtYIOcyDXIijcD0IXqpaSs2rxyWiOSZGer/BFSe4=,tag:1nCU1KmWQcY5ZXjlzhxaQQ==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -30,8 +36,8 @@ sops:
            dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
            V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-21T05:54:31Z"
-    mac: ENC[AES256_GCM,data:oNBabsDRuHjMBXynr8ytCLmv5NPyA0mRUcPJfFZjjAb9ZbGP+pquwJT3S0l2yo4Nsd0YQP8X1pGS3PEv9v+N538bxmMJJCERR7iZ5U5G4h0AvKi+UkjkveDdhPWBXhC1O+Up7reT/LLzOiZ1WUHCYRQfcb9R1RL3G2NpeYuOShk=,iv:FLmtKyZjZuGDnMjOgJdoIU9EXLQSZavs8f4q2C+Sxbk=,tag:sGoJNppCTYxZ2u2l0eMHgg==,type:str]
+    lastmodified: "2024-09-14T05:48:04Z"
+    mac: ENC[AES256_GCM,data:zdGdvk2pMaZYUsTI9XsSUpgtWrNmZNPg7KoV0zAt19h7Qccu3OGTSfXD+rhhhxhhWgBohGIhDVAVQcORnAw1Y/ykgqxERCANuzoBvvR1eKfPcRNiCEr2dmUAybDF7B2MWKlJ5Fsnpk/caK717Fe8XdAJDuplFwmMWi2c1c61/NQ=,iv:KPQTGzFQH+CQmLeXBzMSbU4lVH0/Wc6CeTp6w/pMMOY=,tag:UVA+sQwQa2bpy2/woBgAkQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@ -8,6 +8,9 @@ let
  kanidm_listen_port = 5324;
 in
 {
+  imports = [
+    ./kanidm-provision.nix
+  ];
  networking.firewall.allowedTCPPorts = [
    80
    443
@ -46,33 +49,6 @@ in
    exporters.miniflux.enable = true;
  };

-  systemd.mounts =
-    map
-      (share: {
-        what = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
-        where = "/mnt/storage/${share}";
-        type = "cifs";
-        options = "rw,uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},_netdev,fsc";
-        before = [ "${share}.service" ];
-        after = [ "cachefilesd.service" ];
-        wantedBy = [ "${share}.service" ];
-      })
-      [
-        "forgejo"
-        "gotosocial"
-        "conduit"
-        "hedgedoc"
-      ];
-
-  services.cachefilesd.enable = true;
-
-  system.activationScripts = {
-    conduit-media-link.text = ''
-      mkdir -m 700 -p /var/lib/private/matrix-conduit/media
-      chown conduit:conduit /var/lib/private/matrix-conduit/media
-      mount --bind --verbose /mnt/storage/conduit/media /var/lib/private/matrix-conduit/media
-    '';
-  };
  security.acme = {
    acceptTerms = true;
    certs."auth.xinyang.life" = {
@ -106,7 +82,6 @@ in
      online_backup.versions = 7;
      # db_path = "/var/lib/kanidm/kanidm.db";
    };
-    provision = import ./kanidm-provision.nix;
  };

  custom.miniflux = {
@ -144,6 +119,12 @@ in
    };
  };

+  users.users.conduit = {
+    isSystemUser = true;
+    group = "conduit";
+  };
+  users.groups.conduit = { };
+
  services.gotosocial = {
    enable = true;
    settings = {
--- a/machines/massicot/services/default.nix
+++ b/machines/massicot/services/default.nix
@ -0,0 +1,5 @@
+{
+  imports = [
+    ./restic.nix
+  ];
+}
--- a/machines/massicot/services/restic.nix
+++ b/machines/massicot/services/restic.nix
@ -0,0 +1,51 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  sqliteBackup = path: ''
+    mkdir -p /backup${path}
+    ${lib.getExe pkgs.sqlite} ${path} "vacuum into '/var/backup${path}'"
+  '';
+in
+{
+  sops.secrets = {
+    "restic/repo" = {
+      sopsFile = ../secrets.yaml;
+    };
+    "restic/password" = {
+      sopsFile = ../secrets.yaml;
+    };
+  };
+
+  custom.restic = {
+    enable = true;
+    repositoryFile = config.sops.secrets."restic/repo".path;
+    passwordFile = config.sops.secrets."restic/password".path;
+    paths = [
+      "/var/backup"
+      "/mnt/storage"
+    ];
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    compression = "zstd";
+    compressionLevel = 9;
+    location = "/var/backup/postgresql";
+  };
+
+  services.restic.backups.${config.networking.hostName} = {
+    backupPrepareCommand = builtins.concatStringsSep "\n" [
+      (sqliteBackup "/var/lib/hedgedoc/db.sqlite")
+      (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3")
+      (sqliteBackup "/var/lib/gotosocial/database.sqlite")
+      (sqliteBackup "/var/lib/kanidm/kanidm.db")
+    ];
+    extraBackupArgs = [
+      "--limit-upload=1024"
+    ];
+  };
+}
--- a/machines/weilite/default.nix
+++ b/machines/weilite/default.nix
@ -2,17 +2,15 @@
  inputs,
  config,
  pkgs,
-  lib,
  modulesPath,
  ...
 }:

-with lib;
-
 {
  imports = [
    inputs.sops-nix.nixosModules.sops
    (modulesPath + "/profiles/qemu-guest.nix")
+    ./services
  ];

  config = {
@ -50,6 +48,10 @@ with lib;
          owner = "caddy";
          mode = "400";
        };
+        "immich/oauth_client_secret" = {
+          owner = "immich";
+          mode = "400";
+        };
      };
    };

@ -89,6 +91,31 @@ with lib;
      environment = {
        IMMICH_MACHINE_LEARNING_ENABLED = "false";
      };
+      database.enable = true;
+    };
+
+    custom.immich.jsonSettings = {
+      oauth = {
+        enabled = true;
+        issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
+        clientId = "immich";
+        clientSecret = {
+          _secret = config.sops.secrets."immich/oauth_client_secret".path;
+        };
+        scope = "openid email profile";
+        signingAlgorithm = "ES256";
+        storageLabelClaim = "email";
+        buttonText = "Login with Kanidm";
+        autoLaunch = true;
+        mobileOverrideEnabled = true;
+        mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
+      };
+      passwordLogin = {
+        enabled = false;
+      };
+      newVersionCheck = {
+        enabled = false;
+      };
    };

    services.dae = {
--- a/machines/weilite/secrets.yaml
+++ b/machines/weilite/secrets.yaml
@ -1,4 +1,6 @@
 cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str]
+immich:
+    oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -23,8 +25,8 @@ sops:
            V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
            RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-07-29T09:05:41Z"
-    mac: ENC[AES256_GCM,data:4RX5WtJnI4R2OAKNljo8IhBNTR+PSSFsT4rE0mjS4pEdWyJilAgLwcVU0DEDp7thHeT+YyjDQ9d3z1aeGALlJ3sV57azu4F9/KXixvZMKJtmFRsC74OTSBzFfnA4W9MjOTn95L+RQOJ/3UH1FAZ7UHAe3Os98kNW98D/Nv4S9us=,iv:En7RNovlF1yRURu9fGHRgWvsr3FzpeLtrKELtqkJUb8=,tag:4eVlLsraN17rBbAL7xOHnQ==,type:str]
+    lastmodified: "2024-09-07T14:56:37Z"
+    mac: ENC[AES256_GCM,data:PvMTvWumdW8W3Qj8WG4VBug8TzM+g9vQBdJNMr2rHxhFLgBp9lNOsVJkyDASnse+RVx9EKesRYni6t43XB2F7Y6nsv6PA7m9GYm08ELFXxYOLUjjrUSPzI6PhEk2eUbJ/MO/ojcntVRcbw1pmLUhq2Dj4mpl4Po6w4OyutKNNOg=,iv:eX/IiUn44Ecv5uTEQ5urUpWuuq+dr7ElVpZF24QpRxQ=,tag:3WcjZ/SP/Jd4JVkORBvkWg==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.0
--- a/machines/weilite/services/default.nix
+++ b/machines/weilite/services/default.nix
@ -0,0 +1,6 @@
+{
+  imports = [
+    ./ocis.nix
+    ./restic.nix
+  ];
+}
--- a/machines/weilite/services/ocis.nix
+++ b/machines/weilite/services/ocis.nix
@ -0,0 +1,36 @@
+{ config, pkgs, ... }:
+{
+  sops = {
+    secrets = {
+      "ocis/env" = {
+        sopsFile = ../secrets.yaml;
+      };
+    };
+  };
+
+  services.ocis = {
+    enable = true;
+    package = pkgs.ocis-bin;
+    stateDir = "/var/lib/ocis";
+    url = "https://drive.xinyang.life:8443";
+    address = "127.0.0.1";
+    port = 9200;
+    environment = {
+      OCIS_INSECURE = "false";
+      OCIS_LOG_LEVEL = "trace";
+      OCIS_LOG_PRETTY = "true";
+      # For reverse proxy. Disable tls.
+      OCIS_PROXY_TLS = "false";
+      WEB_OIDC_CLIENT_ID = "owncloud";
+      WEB_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud";
+      OCIS_EXCLUDE_RUN_SERVICES = "idp";
+      PROXY_OIDC_REWRITE_WELLKNOWN = "true";
+    };
+  };
+
+  networking.allowedTCPPorts = [ 8443 ];
+
+  services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
+    reverse_proxy ${config.services.ocis.address}:${config.services.ocis.address}
+  '';
+}
--- a/machines/weilite/services/restic.nix
+++ b/machines/weilite/services/restic.nix
@ -0,0 +1,18 @@
+{ config, ... }:
+{
+  services.restic.server = {
+    enable = true;
+    dataDir = "/var/lib/restic";
+    listenAddress = "127.0.0.1:19573";
+    privateRepos = "true";
+    extraFlags = [
+      "--append-only"
+    ];
+  };
+
+  networking.allowedTCPPorts = [ 8443 ];
+
+  services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
+    reverse_proxy ${config.services.restic.server.listenAddress}
+  '';
+}
--- a/modules/nixos/immich.nix
+++ b/modules/nixos/immich.nix
@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  pkgs,
+  utils,
+  ...
+}:
+let
+  cfg = config.custom.immich;
+  upstreamCfg = config.services.immich;
+  settingsFormat = pkgs.formats.json { };
+  user = config.systemd.services.immich-server.serviceConfig.User;
+  group = config.systemd.services.immich-server.serviceConfig.Group;
+in
+{
+  options = {
+    custom.immich.jsonSettings = lib.mkOption {
+      type = lib.types.submodule {
+        freeformType = settingsFormat.type;
+      };
+      default = { };
+    };
+  };
+  config = {
+    /*
+      LoadCredential happens before preStart. We need to ensure the
+      configuration file exist, otherwise LoadCredential will fail.
+    */
+    systemd.tmpfiles.settings = lib.mkIf upstreamCfg.enable {
+      "10-etc-immich" = {
+        "/etc/immich" = {
+          d = {
+            inherit user group;
+            mode = "0600";
+          };
+        };
+        "/etc/immich/config.json" = {
+          "f+" = {
+            inherit user group;
+            mode = "0600";
+          };
+        };
+      };
+    };
+
+    systemd.services.immich-server = {
+      preStart = ''
+        umask 0077
+        ${utils.genJqSecretsReplacementSnippet cfg.jsonSettings "/etc/immich/config.json"}
+      '';
+      serviceConfig = {
+        LoadCredential = "config:/etc/immich/config.json";
+        Environment = "IMMICH_CONFIG_FILE=%d/config";
+      };
+    };
+  };
+}