chore: clean up unused options

flake.nix

@@ -115,7 +115,7 @@
         self.homeManagerModules.default
         sops-nix.homeManagerModules.sops
         nix-index-database.hmModules.nix-index
-        catppuccin.homeManagerModules.catppuccin
+        catppuccin.homeModules.catppuccin
       ];
       sharedNixosModules = [
         self.nixosModules.default

machines/calcite/configuration.nix

@@ -5,7 +5,7 @@
   ...
 }:
 let
-  inherit (lib) mkForce getExe;
+  inherit (lib) getExe;
   inherit (config.my-lib.settings) idpUrl;
 in
 {
@@ -17,7 +17,7 @@ in
   ];
 
   commonSettings = {
-    # auth.enable = true;
+    auth.enable = true;
     nix = {
       signing.enable = true;
     };
@@ -37,7 +37,6 @@ in
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
   boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  # boot.kernelPackages = pkgs.linuxPackages_latest;
   boot.kernelModules = [
     "nvidia"
     "nvidia_modeset"
@@ -61,7 +60,6 @@ in
     # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
     tctiEnvironment.enable = true;
   };
-  # services.gnome.gnome-keyring.enable = lib.mkForce false;
   security.pam.services.login.enableGnomeKeyring = lib.mkForce false;
 
   programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so";
@@ -187,7 +185,6 @@ in
         settings = {
           main = {
             mouse2 = "leftmeta";
-            # leftalt = "mouse1";
           };
         };
       };
@@ -206,7 +203,6 @@ in
     extraBackends = [ pkgs.hplipWithPlugin ];
   };
 
-  hardware.pulseaudio.enable = false;
   security.rtkit.enable = true;
   services.avahi.enable = true;
   services.pipewire = {
@@ -217,23 +213,6 @@ in
     pulse.enable = true;
     # If you want to use JACK applications, uncomment this
     jack.enable = true;
-
-    # Airplay client
-    raopOpenFirewall = true;
-    extraConfig.pipewire = {
-      "10-airplay" = {
-        "context.modules" = [
-          {
-            name = "libpipewire-module-raop-discover";
-
-            # increase the buffer size if you get dropouts/glitches
-            # args = {
-            #   "raop.latency.ms" = 500;
-            # };
-          }
-        ];
-      };
-    };
   };
 
   # Define a user account. Don't forget to set a password with ‘passwd’.
@@ -249,13 +228,6 @@ in
     ];
   };
 
-  services.kanidm = {
-    enableClient = true;
-    clientSettings = {
-      uri = "https://${idpUrl}";
-    };
-  };
-
   # Smart services
   services.smartd.enable = true;
 
@@ -264,11 +236,7 @@ in
   nixpkgs.config.allowUnfree = true;
   nixpkgs.config.permittedInsecurePackages = [
     "openssl-1.1.1w"
-    # FIXME: Waiting for https://github.com/NixOS/nixpkgs/pull/335753
-    "jitsi-meet-1.0.8043"
   ];
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
   environment.systemPackages = with pkgs; [
     imhex
     oidc-agent
@@ -292,8 +260,6 @@ in
     bubblewrap
 
     # ==== Development ==== #
-    # Python
-    # reference: https://nixos.wiki/wiki/Python
     (
       let
         my-python-packages =
@@ -340,7 +306,6 @@ in
 
     # Writting
     zotero
-    # onlyoffice-bin
 
     # wemeet
     wemeet
@@ -367,10 +332,6 @@ in
       owner = "xin";
       sopsFile = ./secrets.yaml;
     };
-    "gitea/envfile" = {
-      owner = "root";
-      sopsFile = ./secrets.yaml;
-    };
     "davfs2/photosync_password" = {
       sopsFile = ./secrets.yaml;
       mode = "0600";
@@ -401,16 +362,6 @@ in
     ];
   };
 
-  # custom.forgejo-actions-runner = {
-  #   enable = false;
-  #   tokenFile = config.sops.secrets."gitea/envfile".path;
-  #   settings = {
-  #     runner.capacity = 2;
-  #     runner.fetch_timeout = "120s";
-  #     runner.fetch_interval = "30s";
-  #   };
-  # };
-  #
   custom.prometheus = {
     exporters.node.enable = true;
   };

machines/calcite/hardware-configuration.nix

@@ -18,7 +18,6 @@
     "ahci"
     "usbhid"
   ];
-  boot.initrd.kernelModules = [ ];
 
   boot.initrd = {
     systemd.enable = true; # initrd uses systemd
@@ -31,10 +30,8 @@
     };
   };
   boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
 
   fileSystems."/" = {
-    # device = "/dev/disk/by-label/NIXROOT";
     device = "/dev/mapper/cryptroot";
     fsType = "btrfs";
   };
@@ -57,16 +54,6 @@
 
   swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ];
 
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wg0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
-
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
   hardware.graphics = {

machines/calcite/network.nix

@@ -1,14 +1,7 @@
 {
-  config,
   pkgs,
-  lib,
   ...
 }:
-let
-  inherit (config.my-lib.settings)
-    internalDomain
-    ;
-in
 {
   imports = [ ];
 
@@ -28,14 +21,7 @@ in
     enable = true;
     extraUpFlags = [ "--accept-routes" ];
   };
-  # services.tailscale.useRoutingFeatures = "both";
 
-  # services.dae.enable = true;
-  # services.dae.configFile = "/var/lib/dae/config.dae";
-  # systemd.services.dae.after = lib.mkIf (config.networking.networkmanager.enable) [
-  #   "NetworkManager-wait-online.service"
-  # ];
-  #
   # Open ports in the firewall.
   networking.firewall.enable = true;
   networking.firewall.allowedTCPPorts = [ 3389 ];

machines/calcite/secrets.yaml

@@ -1,15 +1,9 @@
 restic:
     repo_url: ENC[AES256_GCM,data:x/g1nZQ59SavVG+u5apNmBQ0Y5uQ9N0EKVh6qovqeP/Z7tmkudJtlBFD35C0ZidcQLAqTaZk1FFh8Ikjo4OcQSdTsx9BGvT4,iv:RQMOSEacDHXjYceBaAW4sFGk38vkijHuADcTS3DMxa8=,tag:769rLA2eRKjDrAaL/jERbA==,type:str]
     repo_password: ENC[AES256_GCM,data:jqsIP1R5/yX8F0oYaSXACx6C,iv:KckzqctKLnmay+d30/Y4IttiASxYnMw6IHQrtwP2YdQ=,tag:L/Ij51UU1om48I8fd4iuwA==,type:str]
-gitea:
-    envfile: ENC[AES256_GCM,data:CK+JNELuzjKgWnImuV4Euif3f3nNOACOrvc4NiIXs+q/F7QWrtpb3TK8/FrLNQk=,iv:QSDrlKJCBld2gDx/y1sT8anh37GhqSS2QZd2JJi5Yis=,tag:x5T6h59LBXhEyVwSr2dnuQ==,type:str]
 davfs2:
     photosync_password: ENC[AES256_GCM,data:J3+pJCjjV+hlPC2il5f7Vn+9k+Aatolgut1DX1G+JF4=,iv:OgZn6Glho3Cfrl0GJhGSbmcYjSe6sjM9PjvEZnM/c4w=,tag:i5AVG139nK3ecK3VwWpQuQ==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
           enc: |
@@ -29,8 +23,7 @@ sops:
             WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
             FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-07T08:57:13Z"
+    lastmodified: "2025-05-08T09:47:09Z"
-    mac: ENC[AES256_GCM,data:UvMXEu2UFapYNHa7kxvFhDzvJZvuV6mwRqmxFISDpp0VhRhY1+Mj2GFxrS5RgTW1ozUnCB0DSBUwWcmsPZeOUveMkHqqRFGZIjinh6blwseZjJMOR30KG3atY6L2adOOZaBERi+HJXqXfdqymeSCmkMC5iJ2jt2KGuMx5NqSfbE=,iv:pueL1hT/tvug65KPYxqY3RwNYeBOlGpIFf70+26VOYQ=,tag:VLwuipBxchMBSSuOMXYKJQ==,type:str]
+    mac: ENC[AES256_GCM,data:pBryBOfgVYROAJ6LfqpEXz8ph4bcAoWLADibpET0jwb4CBNuEW9BWXzVu+Ci+gKjKhSxh8xwr+TLSvo8zNOeGz/Mdl2vVaEWNKX4dUMMd9IXRJ+8jSlhxkMWPi25xoiMjY763MgOnBYsdqPpKKB1xLHkRtULAHlZ2m3VhVWxMWM=,iv:egYcxVjCH4uPbHvCcU9MVCRHoDbNH8tYet1vyDf9nhw=,tag:DDBC0TSdsnaF3SFTuH6rOQ==,type:str]
-    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2

machines/weilite/default.nix

@@ -1,5 +1,4 @@
 {
-  config,
   pkgs,
   lib,
   modulesPath,
@@ -12,13 +11,6 @@
     ./services
   ];
 
-  options = {
-    node = lib.mkOption {
-      type = lib.types.attrs;
-      default = { };
-    };
-  };
-
   config = {
     networking = {
       hostName = "weilite";
@@ -41,9 +33,6 @@
       comin.enable = true;
       network.localdns.enable = true;
     };
-    node = {
-      mediaDir = "/mnt/nixos/media";
-    };
 
     boot = {
       loader = {
@@ -144,11 +133,6 @@
       ];
     };
 
-    services.openssh.ports = [
-      22
-      2222
-    ];
-
     services.tailscale = {
       enable = true;
       openFirewall = true;

machines/weilite/secrets.yaml

@@ -1,6 +1,7 @@
 caddy:
     cf_dns_token: ENC[AES256_GCM,data:7PvP3oYMZ3dAeWaJNiuvEweUf3psDhyu90FT6cP0/AIOa0E40sdIRQ==,iv:IIYnZ35xAm9JJa14oHJi+ddI0u7Pgc4MfPLnKT4IlPc=,tag:V1PGZpaVzdN2cLpktbvTnA==,type:str]
-    dnspod_dns_token: ENC[AES256_GCM,data:ATed7RqLu1u06B61Irhd4SCzjK/Z823ygAgzROsNixZ2rExpB/Xo,iv:L121CGA+iZhn9V6mG2qEu3FI91/s7JO3cVTAwmAeqGw=,tag:l/7MXMZNqgFBwgCCMeZR2A==,type:str]
+    huawei_dns_access_key: ENC[AES256_GCM,data:3y9Sl9RDJlRkgTsctH8O4gRAcAU=,iv:2e03AKVniVYFyHV6KB00I/Y1rHD0Ira6kgly7zDqNT0=,tag:w6j1g329XIOrvshx7Ft7aA==,type:str]
+    huawei_dns_secret_key: ENC[AES256_GCM,data:or4WW7uFvbIoUwh1G63YDQxTFUnkkYrDJG0HEqoKzOSV+8rqy9cHrA==,iv:wB+TT8bh7jhN0ppJ3pqh882cs6RczpOtxKuYuyjRhMY=,tag:GlTSuYeGrGY/3b0g7IbLzw==,type:str]
 immich:
     oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
     auto_stack_apikey: ENC[AES256_GCM,data:pormMdxkevrw1sJrmVtD+jEbfQFTOHeyZRepZt2roftjDYAdbzpppg==,iv:wumPYaTAfU+J0MD6yOFKmxY8eDMzwqVsd3IUXyTfk0A=,tag:54HlWH3iKyWG2Gv9QS/wLA==,type:str]
@@ -16,10 +17,6 @@ webdav:
     photosync:
         password: ENC[AES256_GCM,data:s+omleBtVALG5bpbTnlzbwBj0oCZX8Dm8IbcUV6COnI=,iv:vwCs3ujmCcE87rl91ZtOEAgSQF1/0t17/7/0UM4x8fE=,tag:ylw76CX9SCylWoJt86rmjg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
           enc: |
@@ -39,8 +36,7 @@ sops:
             V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
             RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-06T14:28:44Z"
+    lastmodified: "2025-05-08T13:07:05Z"
-    mac: ENC[AES256_GCM,data:tYAhkwRs2CFOUCw3Iuq6T5C+QkbpSz80fI6CP65VyFrNiej9hshmjngPnf8bFElF+bHI64a/zpo2y4CqV213011tOX2YYvLD5zrAQb18rBFUdJblY5wQyx/DXiPaIf5jK6WGHIRaOmqZJuqXKrQKnf99N12JydXjt6usBGGZr8M=,iv:wySf7lctw14iUbKo5fDu+p6TMY5QXGYYmBukh2qb19I=,tag:pZrnFiNZEK01pnDN0+1Rcw==,type:str]
+    mac: ENC[AES256_GCM,data:19bgXUH6rhQLin0RO0F5pgqzNIzHq5x+oSpIscbDimRvUhnvalMX6KSmbVgrHeNHrx4n3MpwI65Z+/6eeiR0Y6O2MOv49580UVKIEEP/yAPd3tbOW28/WsNp7MMhtF1Fx6o/rirV+H4vkvzq9+/z3tHO2MMjh9LeLcFB36b8ZD8=,iv:lU9o59P8BS1Azd0lVRtq8d3yNau54J9attOEiC32E4E=,tag:zUawHckwaXSxc7RWimVPUQ==,type:str]
-    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2

machines/weilite/services/caddy.nix

@@ -6,14 +6,19 @@
         owner = "caddy";
         mode = "400";
       };
-      "caddy/dnspod_dns_token" = {
+      "caddy/huawei_dns_access_key" = {
+        owner = "caddy";
+        mode = "400";
+      };
+      "caddy/huawei_dns_secret_key" = {
         owner = "caddy";
         mode = "400";
       };
     };
     templates."caddy.env".content = ''
       CF_API_TOKEN=${config.sops.placeholder."caddy/cf_dns_token"}
-      DNSPOD_API_TOKEN=${config.sops.placeholder."caddy/dnspod_dns_token"}
+      HUAWEICLOUD_ACCESS_KEY=${config.sops.placeholder."caddy/huawei_dns_access_key"}
+      HUAWEICLOUD_SECRET_KEY=${config.sops.placeholder."caddy/huawei_dns_secret_key"}
     '';
   };
 
@@ -22,28 +27,25 @@
       acmeCF = "tls {
         dns cloudflare {env.CF_API_TOKEN}
       }";
-      acmeDnspod = "tls {
+      acmeHuawei = "tls {
-        dns dnspod {env.DNSPOD_API_TOKEN}
+        dns huaweicloud  {
+          access_key_id {env.HUAWEICLOUD_ACCESS_KEY}
+          secret_access_key {env.HUAWEICLOUD_SECRET_KEY}
+        }
       }";
     in
     {
       enable = true;
       package = pkgs.caddy.withPlugins {
         plugins = [
-          "github.com/caddy-dns/cloudflare@v0.0.0-20240703190432-89f16b99c18e"
+          "github.com/caddy-dns/cloudflare@v0.2.1"
-          "github.com/caddy-dns/dnspod@v0.0.4"
         ];
-        hash = "sha256-/BxdY36MZriRNhh3peU+XjYRAuuYiKhLY+RwO45Q2Ws=";
+        hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
       };
       virtualHosts."derper00.namely.icu:8443".extraConfig = ''
-        ${acmeDnspod}
+        ${acmeCF}
         reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
       '';
-      # API Token must be added in systemd environment file
-      virtualHosts."immich.xinyang.life:8000".extraConfig = ''
-        ${acmeDnspod}
-        reverse_proxy 127.0.0.1:${toString config.services.immich.port}
-      '';
       virtualHosts."immich.xiny.li:8443".extraConfig = ''
         ${acmeCF}
         reverse_proxy 127.0.0.1:${toString config.services.immich.port}