diff --git a/flake.nix b/flake.nix
index 8c38287..c3c5982 100644
--- a/flake.nix
+++ b/flake.nix
@@ -85,7 +85,7 @@
         { ... }:
         {
           options.my-lib = nixpkgs.lib.mkOption {
-            type = nixpkgs.lib.types.freeformType;
+            type = nixpkgs.lib.types.attrs;
             default = import ./overlays/my-lib;
           };
           config = {
diff --git a/machines/biotite/services/forgejo.nix b/machines/biotite/services/forgejo.nix
index 551cbcc..7321b89 100644
--- a/machines/biotite/services/forgejo.nix
+++ b/machines/biotite/services/forgejo.nix
@@ -38,7 +38,7 @@ let
       OPENID_CONNECT_SCOPES = "openid profile email groups";
     };
     metrics = {
-      ENABLED = true;
+      # ENABLED = true;
     };
     other = {
       SHOW_FOOTER_VERSION = false;
diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix
index 1531899..2e99cbd 100644
--- a/machines/calcite/configuration.nix
+++ b/machines/calcite/configuration.nix
@@ -334,16 +334,16 @@ in
     ];
   };
 
-  custom.forgejo-actions-runner = {
-    enable = false;
-    tokenFile = config.sops.secrets."gitea/envfile".path;
-    settings = {
-      runner.capacity = 2;
-      runner.fetch_timeout = "120s";
-      runner.fetch_interval = "30s";
-    };
-  };
-
+  # custom.forgejo-actions-runner = {
+  #   enable = false;
+  #   tokenFile = config.sops.secrets."gitea/envfile".path;
+  #   settings = {
+  #     runner.capacity = 2;
+  #     runner.fetch_timeout = "120s";
+  #     runner.fetch_interval = "30s";
+  #   };
+  # };
+  #
   custom.prometheus = {
     exporters.node.enable = true;
   };
diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix
index d0a93a3..68fc2ee 100644
--- a/machines/weilite/default.nix
+++ b/machines/weilite/default.nix
@@ -52,10 +52,6 @@
           owner = "caddy";
           mode = "400";
         };
-        "immich/oauth_client_secret" = {
-          owner = "immich";
-          mode = "400";
-        };
         "restic/localpass" = {
           owner = "restic";
         };
@@ -72,6 +68,10 @@
       };
     };
 
+    custom.monitoring = {
+      loki.enable = true;
+    };
+
     systemd.mounts = [
       {
         what = "immich";
@@ -108,43 +108,6 @@
       2222
     ];
 
-    services.immich = {
-      enable = true;
-      mediaLocation = "/mnt/XinPhotos/immich";
-      host = "127.0.0.1";
-      port = 3001;
-      openFirewall = true;
-      machine-learning.enable = true;
-      environment = {
-        IMMICH_MACHINE_LEARNING_ENABLED = "true";
-      };
-      database.enable = true;
-    };
-
-    custom.immich.jsonSettings = {
-      oauth = {
-        enabled = true;
-        issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
-        clientId = "immich";
-        clientSecret = {
-          _secret = config.sops.secrets."immich/oauth_client_secret".path;
-        };
-        scope = "openid email profile";
-        signingAlgorithm = "ES256";
-        storageLabelClaim = "email";
-        buttonText = "Login with Kanidm";
-        autoLaunch = true;
-        mobileOverrideEnabled = true;
-        mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
-      };
-      passwordLogin = {
-        enabled = false;
-      };
-      newVersionCheck = {
-        enabled = false;
-      };
-    };
-
     services.dae = {
       enable = true;
       configFile = "/var/lib/dae/config.dae";
diff --git a/machines/weilite/services/default.nix b/machines/weilite/services/default.nix
index d70e175..0a6e4ca 100644
--- a/machines/weilite/services/default.nix
+++ b/machines/weilite/services/default.nix
@@ -3,5 +3,6 @@
     ./ocis.nix
     ./restic.nix
     ./media-download.nix
+    ./immich.nix
   ];
 }
diff --git a/machines/weilite/services/immich.nix b/machines/weilite/services/immich.nix
new file mode 100644
index 0000000..33a98d3
--- /dev/null
+++ b/machines/weilite/services/immich.nix
@@ -0,0 +1,63 @@
+{
+  config,
+  ...
+}:
+let
+  user = config.systemd.services.immich-server.serviceConfig.User;
+  jsonSettings = {
+    oauth = {
+      enabled = true;
+      issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
+      clientId = "immich";
+      clientSecret = config.sops.placeholder."immich/oauth_client_secret";
+      scope = "openid email profile";
+      signingAlgorithm = "ES256";
+      storageLabelClaim = "email";
+      buttonText = "Login with Kanidm";
+      autoLaunch = true;
+      mobileOverrideEnabled = true;
+      mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
+    };
+    passwordLogin = {
+      enabled = false;
+    };
+    image = {
+      extractEmbedded = true;
+    };
+    newVersionCheck = {
+      enabled = false;
+    };
+  };
+in
+{
+  config = {
+    sops.secrets."immich/oauth_client_secret" = { };
+
+    sops.templates."immich/config.json" = {
+      owner = user; # Read when running
+      content = builtins.toJSON jsonSettings;
+    };
+
+    systemd.services.immich-server = {
+      serviceConfig = {
+        Environment = "IMMICH_CONFIG_FILE=${config.sops.templates."immich/config.json".path}";
+      };
+    };
+
+    services.immich = {
+      enable = true;
+      mediaLocation = "/mnt/XinPhotos/immich";
+      host = "127.0.0.1";
+      port = 3001;
+      openFirewall = true;
+      machine-learning.enable = true;
+      environment = {
+        IMMICH_MACHINE_LEARNING_ENABLED = "true";
+      };
+      database.enable = true;
+    };
+
+    # https://github.com/NixOS/nixpkgs/pull/324127/files#r1723763510
+    services.immich.redis.host = "/run/redis-immich/redis.sock";
+  };
+}
diff --git a/modules/nixos/common-settings/auth.nix b/modules/nixos/common-settings/auth.nix
index d0a54cb..1cd85ec 100644
--- a/modules/nixos/common-settings/auth.nix
+++ b/modules/nixos/common-settings/auth.nix
@@ -9,8 +9,6 @@ let
   inherit (lib)
     mkIf
     mkEnableOption
-    mkOption
-    types
     ;
 
   cfg = config.commonSettings.auth;
@@ -21,25 +19,43 @@ in
   };
 
   config = mkIf cfg.enable {
-    custom.kanidm-client = {
-      enable = true;
-      uri = "https://auth.xinyang.life";
-      asSSHAuth = {
-        enable = true;
-        allowedGroups = [ "linux_users" ];
+    services.kanidm = {
+      enableClient = true;
+      clientSettings = {
+        uri = "https://auth.xinyang.life";
+      };
+      enablePam = true;
+      unixSettings = {
+        pam_allowed_login_groups = [ "linux_users" ];
+        default_shell = "/bin/sh";
       };
-      sudoers = [ "xin@auth.xinyang.life" ];
     };
 
     services.openssh = {
+      enable = true;
+      authorizedKeysCommand = "/etc/ssh/auth %u";
+      authorizedKeysCommandUser = "kanidm-ssh-runner";
       settings = {
         PasswordAuthentication = false;
         KbdInteractiveAuthentication = false;
-        PermitRootLogin = "no";
-        GSSAPIAuthentication = "no";
-        KerberosAuthentication = "no";
+        PermitRootLogin = lib.mkForce "no";
       };
     };
+
+    environment.etc."ssh/auth" = {
+      mode = "0555";
+      text = ''
+        #!${pkgs.stdenv.shell}
+        ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
+      '';
+    };
+    users.groups.wheel.members = [ "xin@auth.xinyang.life" ];
+    users.groups.kanidm-ssh-runner = { };
+    users.users.kanidm-ssh-runner = {
+      isSystemUser = true;
+      group = "kanidm-ssh-runner";
+    };
+
     services.fail2ban.enable = true;
 
     security.sudo = {
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 2f7902f..d2f210d 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -8,9 +8,5 @@
     ./disk-partitions
     ./restic.nix
     ./monitor
-    ./kanidm-client.nix
-    # ./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge
-    ./forgejo-actions-runner.nix
-    ./immich.nix
   ];
 }
diff --git a/modules/nixos/immich.nix b/modules/nixos/immich.nix
deleted file mode 100644
index d79afc1..0000000
--- a/modules/nixos/immich.nix
+++ /dev/null
@@ -1,60 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  utils,
-  ...
-}:
-let
-  cfg = config.custom.immich;
-  upstreamCfg = config.services.immich;
-  settingsFormat = pkgs.formats.json { };
-  user = config.systemd.services.immich-server.serviceConfig.User;
-  group = config.systemd.services.immich-server.serviceConfig.Group;
-in
-{
-  options = {
-    custom.immich.jsonSettings = lib.mkOption {
-      type = lib.types.submodule {
-        freeformType = settingsFormat.type;
-      };
-      default = { };
-    };
-  };
-  config = {
-    /*
-      LoadCredential happens before preStart. We need to ensure the
-      configuration file exist, otherwise LoadCredential will fail.
-    */
-    systemd.tmpfiles.settings = lib.mkIf upstreamCfg.enable {
-      "10-etc-immich" = {
-        "/etc/immich" = {
-          d = {
-            inherit user group;
-            mode = "0700";
-          };
-        };
-        "/etc/immich/config.json" = {
-          "f+" = {
-            inherit user group;
-            mode = "0600";
-          };
-        };
-      };
-    };
-
-    systemd.services.immich-server = {
-      preStart = ''
-        umask 0077
-        ${utils.genJqSecretsReplacementSnippet cfg.jsonSettings "/etc/immich/config.json"}
-      '';
-      serviceConfig = {
-        LoadCredential = "config:/etc/immich/config.json";
-        Environment = "IMMICH_CONFIG_FILE=%d/config";
-      };
-    };
-
-    # https://github.com/NixOS/nixpkgs/pull/324127/files#r1723763510
-    services.immich.redis.host = "/run/redis-immich/redis.sock";
-  };
-}