From 4822043a8bc366965402d57a9bbfad93185e0e40 Mon Sep 17 00:00:00 2001
From: xinyangli <lixinyang411@gmail.com>
Date: Mon, 23 Sep 2024 20:16:19 +0800
Subject: [PATCH 1/8] massicot: switch to ssd

---
 machines/massicot/kanidm-provision.nix |  6 +++++
 machines/massicot/services.nix         | 34 ++++++++++++++++++++------
 machines/massicot/services/restic.nix  | 18 +++++++-------
 3 files changed, 41 insertions(+), 17 deletions(-)

diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix
index 2439be6..bd38b03 100644
--- a/machines/massicot/kanidm-provision.nix
+++ b/machines/massicot/kanidm-provision.nix
@@ -37,6 +37,7 @@
           "xin"
           "zhuo"
           "ycm"
+          "yzl"
         ];
       };
       grafana-superadmins = {
@@ -73,6 +74,11 @@
         displayName = "Chunming";
         mailAddresses = [ "chunmingyou@gmail.com" ];
       };
+
+      yzl = {
+        displayName = "Zhengli Yang";
+        mailAddresses = [ "13391935399@189.cn" ];
+      };
     };
     systems.oauth2 = {
       forgejo = {
diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix
index 4be75c5..dfdac4d 100644
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@@ -268,15 +268,33 @@ in
     virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
       reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
     '';
-    virtualHosts."https://auth.xinyang.life".extraConfig = ''
-      reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
-          header_up Host {upstream_hostport}
-          header_down Access-Control-Allow-Origin "*"
-          transport http {
-              tls_server_name ${config.services.kanidm.serverSettings.domain}
+    virtualHosts."https://auth.xinyang.life".extraConfig =
+      let
+        reverseProxyKanidm = ''
+          reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
+              header_up Host {upstream_hostport}
+              header_down Access-Control-Allow-Origin "*"
+              transport http {
+                  tls_server_name ${config.services.kanidm.serverSettings.domain}
+              }
           }
-      }
-    '';
+        '';
+      in
+      ''
+        reverse_proxy /oauth2/openid/owncloud/userinfo https://127.0.0.1:${toString kanidm_listen_port} {
+            header_up Host {upstream_hostport}
+            header_down Access-Control-Allow-Origin "*"
+            transport http {
+                tls_server_name ${config.services.kanidm.serverSettings.domain}
+            }
+            @error status 400
+            handle_response @error {
+                rewrite /oauth2/openid/owncloud/userinfo /oauth2/openid/owncloud-android/userinfo
+                ${reverseProxyKanidm}
+            }
+        }
+        ${reverseProxyKanidm}
+      '';
 
     virtualHosts."https://rss.xinyang.life".extraConfig = ''
       reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR}
diff --git a/machines/massicot/services/restic.nix b/machines/massicot/services/restic.nix
index 9a319bb..c8c28be 100644
--- a/machines/massicot/services/restic.nix
+++ b/machines/massicot/services/restic.nix
@@ -5,9 +5,9 @@
   ...
 }:
 let
-  sqliteBackup = path: ''
-    mkdir -p /backup${path}
-    ${lib.getExe pkgs.sqlite} ${path} "vacuum into '/var/backup${path}'"
+  sqliteBackup = fromPath: toPath: file: ''
+    mkdir -p ${toPath}
+    ${lib.getExe pkgs.sqlite} ${fromPath} ".backup '${toPath}/${file}'"
   '';
 in
 {
@@ -25,7 +25,7 @@ in
     repositoryFile = config.sops.secrets."restic/repo".path;
     passwordFile = config.sops.secrets."restic/password".path;
     paths = [
-      "/var/backup"
+      "/backup"
       "/mnt/storage"
     ];
   };
@@ -34,15 +34,15 @@ in
     enable = true;
     compression = "zstd";
     compressionLevel = 9;
-    location = "/var/backup/postgresql";
+    location = "/backup/postgresql";
   };
 
   services.restic.backups.${config.networking.hostName} = {
     backupPrepareCommand = builtins.concatStringsSep "\n" [
-      (sqliteBackup "/var/lib/hedgedoc/db.sqlite")
-      (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3")
-      (sqliteBackup "/var/lib/gotosocial/database.sqlite")
-      (sqliteBackup "/var/lib/kanidm/kanidm.db")
+      (sqliteBackup "/var/lib/hedgedoc/db.sqlite" "/backup/hedgedoc" "db.sqlite")
+      (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3" "/backup/bitwarden_rs" "db.sqlite3")
+      (sqliteBackup "/var/lib/gotosocial/database.sqlite" "/backup/gotosocial" "database.sqlite")
+      (sqliteBackup "/var/lib/kanidm/kanidm.db" "/backup/kanidm" "kanidm.db")
     ];
     extraBackupArgs = [
       "--limit-upload=1024"

From bba16ea4da17a774aa829bda8b94ca5189d0f5c6 Mon Sep 17 00:00:00 2001
From: xinyangli <lixinyang411@gmail.com>
Date: Mon, 23 Sep 2024 20:17:26 +0800
Subject: [PATCH 2/8] weilite/{restic,ocis}: add

---
 machines/weilite/default.nix              | 38 ++++++++++++++++++-----
 machines/weilite/secrets.yaml             |  5 +--
 machines/weilite/services/cloudflared.nix |  9 ++++++
 machines/weilite/services/ocis.nix        | 35 ++++++++++-----------
 machines/weilite/services/restic.nix      | 31 ++++++++++++++++--
 5 files changed, 89 insertions(+), 29 deletions(-)
 create mode 100644 machines/weilite/services/cloudflared.nix

diff --git a/machines/weilite/default.nix b/machines/weilite/default.nix
index ce39730..2d2ef8c 100644
--- a/machines/weilite/default.nix
+++ b/machines/weilite/default.nix
@@ -38,6 +38,8 @@
       kernelModules = [ "kvm-intel" ];
     };
 
+    nixpkgs.config.allowUnfree = true;
+
     environment.systemPackages = [ pkgs.virtiofsd ];
 
     sops = {
@@ -48,6 +50,10 @@
           owner = "caddy";
           mode = "400";
         };
+        dnspod_dns_token = {
+          owner = "caddy";
+          mode = "400";
+        };
         "immich/oauth_client_secret" = {
           owner = "immich";
           mode = "400";
@@ -64,16 +70,30 @@
         what = "immich";
         where = "/mnt/XinPhotos/immich";
         type = "virtiofs";
-        options = "rw";
+        options = "rw,nodev,nosuid";
         wantedBy = [ "immich-server.service" ];
       }
       {
         what = "originals";
         where = "/mnt/XinPhotos/originals";
         type = "virtiofs";
-        options = "ro,nodev,nosuid";
+        options = "rw,nodev,nosuid";
         wantedBy = [ "immich-server.service" ];
       }
+      {
+        what = "restic";
+        where = "/var/lib/restic";
+        type = "virtiofs";
+        options = "rw,nodev,nosuid";
+        wantedBy = [ "restic-rest-server.service" ];
+      }
+      {
+        what = "ocis";
+        where = "/var/lib/ocis";
+        type = "virtiofs";
+        options = "rw,nodev,nosuid";
+        wantedBy = [ "ocis.service" ];
+      }
     ];
 
     services.openssh.ports = [
@@ -137,26 +157,30 @@
             repo = "github.com/caddy-dns/cloudflare";
             version = "89f16b99c18ef49c8bb470a82f895bce01cbaece";
           }
+{
+            repo = "github.com/caddy-dns/dnspod";
+            version = "1fd4ce87e919f47db5fa029c31ae74b9737a58af";
+          }
         ];
-        vendorHash = "sha256-fTcMtg5GGEgclIwJCav0jjWpqT+nKw2OF1Ow0MEEitk=";
+        vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI=";
       };
       virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
         reverse_proxy 127.0.0.1:${toString config.services.immich.port}
       '';
       # API Token must be added in systemd environment file
       virtualHosts."immich.xinyang.life:8000".extraConfig = ''
-        tls {
-          dns cloudflare {env.CLOUDFLARE_API_TOKEN}
-        }
         reverse_proxy 127.0.0.1:${toString config.services.immich.port}
       '';
+      globalConfig = ''
+        acme_dns dnspod {env.DNSPOD_API_TOKEN}
+      '';
     };
 
     networking.firewall.allowedTCPPorts = [ 8000 ];
 
     systemd.services.caddy = {
       serviceConfig = {
-        EnvironmentFile = config.sops.secrets.cloudflare_dns_token.path;
+        EnvironmentFile = config.sops.secrets.dnspod_dns_token.path;
       };
     };
 
diff --git a/machines/weilite/secrets.yaml b/machines/weilite/secrets.yaml
index bb631bb..8446f0a 100644
--- a/machines/weilite/secrets.yaml
+++ b/machines/weilite/secrets.yaml
@@ -1,4 +1,5 @@
 cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str]
+dnspod_dns_token: ENC[AES256_GCM,data:uZfr3g103amywxh3NMU+AkwuYb61svzyavvQ4rxJijIMIbfPvERrVNcyivoOrFWYXHpPWkhZFdU=,iv:mArVAcebW9i+u26GmQmfmJTsFkR4ZRMIisTqjpMYan8=,tag:Zsmv1Wzfi3+PHigjReToHQ==,type:str]
 immich:
     oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
 sops:
@@ -25,8 +26,8 @@ sops:
             V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
             RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-09-07T14:56:37Z"
-    mac: ENC[AES256_GCM,data:PvMTvWumdW8W3Qj8WG4VBug8TzM+g9vQBdJNMr2rHxhFLgBp9lNOsVJkyDASnse+RVx9EKesRYni6t43XB2F7Y6nsv6PA7m9GYm08ELFXxYOLUjjrUSPzI6PhEk2eUbJ/MO/ojcntVRcbw1pmLUhq2Dj4mpl4Po6w4OyutKNNOg=,iv:eX/IiUn44Ecv5uTEQ5urUpWuuq+dr7ElVpZF24QpRxQ=,tag:3WcjZ/SP/Jd4JVkORBvkWg==,type:str]
+    lastmodified: "2024-09-13T12:02:54Z"
+    mac: ENC[AES256_GCM,data:c5p+B2mPCDyS/Q4QH4MkzCww6jFDhP8RfHqrKLf4e/8XuNEGfNmPKaeliZG26j1YQWRvFHiGQX3AMnQ3Q+fSRUQCVi5KV+KW7fADNIB3TiTT5hAFuynhiWWQSmIrWP0GGek3GDGi7OJ1PrFbxWP9bwaf+zBegiaUcWoTorJg7No=,iv:6MohNgPpq80eTUlf3RvPKsxdx69V0jl+/hrMxAPpPQE=,tag:BtWp1FChP2hdclbGl5W+vQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0
diff --git a/machines/weilite/services/cloudflared.nix b/machines/weilite/services/cloudflared.nix
new file mode 100644
index 0000000..30b748d
--- /dev/null
+++ b/machines/weilite/services/cloudflared.nix
@@ -0,0 +1,9 @@
+{ pkgs, ... }:
+{
+  services.cloudflared = {
+    enable = true;
+    tunnels =
+      {
+      };
+  };
+}
diff --git a/machines/weilite/services/ocis.nix b/machines/weilite/services/ocis.nix
index 26a6769..7438591 100644
--- a/machines/weilite/services/ocis.nix
+++ b/machines/weilite/services/ocis.nix
@@ -1,36 +1,35 @@
 { config, pkgs, ... }:
 {
-  sops = {
-    secrets = {
-      "ocis/env" = {
-        sopsFile = ../secrets.yaml;
-      };
-    };
-  };
-
   services.ocis = {
     enable = true;
-    package = pkgs.ocis-bin;
+    package = pkgs.ocis;
     stateDir = "/var/lib/ocis";
     url = "https://drive.xinyang.life:8443";
     address = "127.0.0.1";
     port = 9200;
+    configDir = "/var/lib/ocis/config";
     environment = {
       OCIS_INSECURE = "false";
-      OCIS_LOG_LEVEL = "trace";
+      PROXY_TLS = "false";
+      OCIS_LOG_LEVEL = "debug";
       OCIS_LOG_PRETTY = "true";
-      # For reverse proxy. Disable tls.
-      OCIS_PROXY_TLS = "false";
-      WEB_OIDC_CLIENT_ID = "owncloud";
-      WEB_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud";
+      PROXY_AUTOPROVISION_ACCOUNTS = "true";
+      PROXY_USER_OIDC_CLAIM = "preferred_username";
+      PROXY_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud";
+      PROXY_OIDC_REWRITE_WELLKNOWN = "false";
+      PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none";
       OCIS_EXCLUDE_RUN_SERVICES = "idp";
-      PROXY_OIDC_REWRITE_WELLKNOWN = "true";
+      WEB_HTTP_ADDR = "127.0.0.1:12345";
+      WEB_OIDC_METADATA_URL = "https://auth.xinyang.life/oauth2/openid/owncloud/.well-known/openid-configuration";
+      WEB_OIDC_AUTHORITY = "https://auth.xinyang.life/oauth2/openid/owncloud";
+      WEB_OIDC_CLIENT_ID = "owncloud";
     };
+    # environmentFile = config.sops.secrets."ocis/env".path;
   };
 
-  networking.allowedTCPPorts = [ 8443 ];
-
+  networking.firewall.allowedTCPPorts = [ 8443 ];
   services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
-    reverse_proxy ${config.services.ocis.address}:${config.services.ocis.address}
+    redir /.well-known/openid-configuration https://auth.xinyang.life/oauth2/openid/owncloud-android/.well-known/openid-configuration permanent
+    reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port}
   '';
 }
diff --git a/machines/weilite/services/restic.nix b/machines/weilite/services/restic.nix
index e1fb489..4858590 100644
--- a/machines/weilite/services/restic.nix
+++ b/machines/weilite/services/restic.nix
@@ -1,16 +1,43 @@
 { config, ... }:
+let
+  mkPrune = user: host: {
+    name = "${user}-${host}-prune";
+    value = {
+      user = "restic";
+      repository = "/var/lib/restic/${user}/${host}";
+      passwordFile = "/var/lib/restic/localpass";
+      timerConfig = {
+        OnCalendar = "02:05";
+        RandomizedDelaySec = "1h";
+      };
+      pruneOpts = [
+        "--keep-daily 7"
+        "--keep-weekly 5"
+        "--keep-monthly 12"
+        "--keep-yearly 75"
+      ];
+    };
+
+  };
+in
 {
   services.restic.server = {
     enable = true;
     dataDir = "/var/lib/restic";
     listenAddress = "127.0.0.1:19573";
-    privateRepos = "true";
+    privateRepos = true;
     extraFlags = [
       "--append-only"
+      "--prometheus-no-auth"
     ];
   };
 
-  networking.allowedTCPPorts = [ 8443 ];
+  services.restic.backups = builtins.listToAttrs [
+    (mkPrune "xin" "calcite")
+    (mkPrune "xin" "massicot")
+  ];
+
+  networking.firewall.allowedTCPPorts = [ 8443 ];
 
   services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
     reverse_proxy ${config.services.restic.server.listenAddress}

From 018044aa7db0013f689e3bcc13789e8370dd7451 Mon Sep 17 00:00:00 2001
From: xinyangli <lixinyang411@gmail.com>
Date: Mon, 23 Sep 2024 20:17:57 +0800
Subject: [PATCH 3/8] dolomite/network: switch to networkd

---
 machines/dolomite/bandwagon.nix | 16 +++++++++++++---
 machines/dolomite/default.nix   | 31 -------------------------------
 machines/dolomite/lightsail.nix |  3 ++-
 3 files changed, 15 insertions(+), 35 deletions(-)

diff --git a/machines/dolomite/bandwagon.nix b/machines/dolomite/bandwagon.nix
index 1284da3..91449c1 100644
--- a/machines/dolomite/bandwagon.nix
+++ b/machines/dolomite/bandwagon.nix
@@ -42,9 +42,19 @@ in
 
     boot.loader.grub.enable = true;
     boot.loader.grub.device = "/dev/sda";
-    networking.useDHCP = false;
-    networking.interfaces.ens18.useDHCP = true;
-    networking.interfaces.ens19.useDHCP = true;
+    networking.useNetworkd = true;
+    systemd.network.networks."10-wan" = {
+      matchConfig.MACAddress = "ens18";
+      networkConfig.DHCP = "ipv4";
+      dhcpV4Config = {
+        UseDNS = false;
+      };
+    };
+    systemd.network.networks."20-lan" = {
+      matchConfig.MACAddress = "ens19";
+      networkConfig.DHCP = "ipv4";
+    };
+    services.resolved.enable = true;
 
     services.sing-box.settings.dns.strategy = "ipv4_only";
   };
diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix
index 019867c..0576114 100644
--- a/machines/dolomite/default.nix
+++ b/machines/dolomite/default.nix
@@ -101,29 +101,6 @@ in
       {
         enable = true;
         settings = {
-          dns = {
-            servers = [
-              {
-                tag = "warp";
-                address = "1.1.1.1";
-                detour = "wg-out";
-              }
-              {
-                tag = "directdns";
-                address = "h3://8.8.8.8/dns-query";
-              }
-            ];
-            rules = [
-              {
-                outbound = "wg-out";
-                server = "warp";
-              }
-              {
-                outbound = "direct";
-                server = "directdns";
-              }
-            ];
-          };
           inbounds =
             [
               {
@@ -182,17 +159,9 @@ in
               type = "direct";
               tag = "direct";
             }
-            {
-              type = "dns";
-              tag = "dns-out";
-            }
           ];
           route = {
             rules = [
-              {
-                outbound = "dns-out";
-                protocol = "dns";
-              }
               {
                 inbound = "sg0";
                 outbound = "direct";
diff --git a/machines/dolomite/lightsail.nix b/machines/dolomite/lightsail.nix
index 18afeda..230b23d 100644
--- a/machines/dolomite/lightsail.nix
+++ b/machines/dolomite/lightsail.nix
@@ -103,7 +103,8 @@ in
     environment.systemPackages = [ pkgs.cryptsetup ];
 
     # EC2 has its own NTP server provided by the hypervisor
-    networking.timeServers = [ "169.254.169.123" ];
+    services.timesyncd.enable = true;
+    services.timesyncd.servers = [ "169.254.169.123" ];
 
     # udisks has become too bloated to have in a headless system
     # (e.g. it depends on GTK).

From 52267e1ab6c996feb9d0c2ad2484ccd7acef9257 Mon Sep 17 00:00:00 2001
From: xinyangli <lixinyang411@gmail.com>
Date: Mon, 23 Sep 2024 20:19:27 +0800
Subject: [PATCH 4/8] modules/restic: fix btrfs not found

---
 modules/nixos/restic.nix | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/modules/nixos/restic.nix b/modules/nixos/restic.nix
index 7410a53..0926fad 100644
--- a/modules/nixos/restic.nix
+++ b/modules/nixos/restic.nix
@@ -1,6 +1,7 @@
 # TODO: https://github.com/lilyinstarlight/foosteros/blob/dfe1ab3eb68bfebfaa709482d52fa04ebdde81c8/config/restic.nix#L23 <- this is better
 {
   config,
+  pkgs,
   lib,
   ...
 }:
@@ -55,10 +56,10 @@ in
       }
       (lib.mkIf (config.fileSystems."/".fsType == "btrfs") {
         backupPrepareCommand = ''
-          btrfs subvolume snapshot -r / backup
+          ${pkgs.btrfs-progs}/bin/btrfs subvolume snapshot -r / backup
         '';
         backupCleanupCommand = ''
-          btrfs subvolume delete /backup 
+          ${pkgs.btrfs-progs}/bin/btrfs subvolume delete /backup 
         '';
         paths = map (p: "/backup" + p) cfg.paths;
       })

From 7d03d2904bcdbccffc48e3162fc6a0e6995e043e Mon Sep 17 00:00:00 2001
From: xinyangli <lixinyang411@gmail.com>
Date: Mon, 23 Sep 2024 20:20:18 +0800
Subject: [PATCH 5/8] calcite: minor fix

---
 machines/calcite/configuration.nix | 19 +++++++++++++++++--
 machines/calcite/secrets.yaml      |  6 +++---
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix
index a0efe28..f397b7a 100644
--- a/machines/calcite/configuration.nix
+++ b/machines/calcite/configuration.nix
@@ -182,12 +182,24 @@
   environment.systemPackages = with pkgs; [
     oidc-agent
     # Filesystem
-    owncloud-client
+    (owncloud-client.overrideAttrs (
+      finalAttrs: previousAttrs: {
+        src = pkgs.fetchFromGitHub {
+          owner = "xinyangli";
+          repo = "client";
+          rev = "e5ec2d68077361f1597b137a944884dda5574487";
+          hash = "sha256-xs8g7DdL1VxArK3n1c/9k7nW2vwYRHRuz6zaeX7E3eM=";
+        };
+      }
+    ))
     nfs-utils
 
     # tesseract5 # ocr
     ocrmypdf # pdfocr
 
+    gtkwave
+    bubblewrap
+
     # ==== Development ==== #
     # Python
     # reference: https://nixos.wiki/wiki/Python
@@ -256,6 +268,9 @@
 
   system.stateVersion = "22.05";
 
+  system.switch.enable = false;
+  system.switch.enableNg = true;
+
   nix.extraOptions = ''
     !include "${config.sops.secrets.github_public_token.path}"
   '';
@@ -282,7 +297,7 @@
   custom.restic.repositoryFile = config.sops.secrets.restic_repo_calcite.path;
   custom.restic.passwordFile = config.sops.secrets.restic_repo_calcite_password.path;
 
-  custom.forgejo-actions-runner.enable = true;
+  custom.forgejo-actions-runner.enable = false;
   custom.forgejo-actions-runner.tokenFile = config.sops.secrets."gitea/envfile".path;
 
   custom.prometheus = {
diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml
index d0e1b64..33e4e52 100644
--- a/machines/calcite/secrets.yaml
+++ b/machines/calcite/secrets.yaml
@@ -1,5 +1,5 @@
 restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str]
-restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str]
+restic_repo_calcite: ENC[AES256_GCM,data:ELvSvoBfulbsoMvRMt2bVo9KiNQAuHomblZcAwJ+g0tHELkq65kaaGwMsNy1AttBfiD7RrQsKifX/YTUGmuz1mDg0WqkV/Mv,iv:HKz96YgVahxh+t3AEqe09mTE01uT+VrUYt04H6zyS9g=,tag:llFeeN7ryTZI9gLlYIRhCg==,type:str]
 sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str]
 gitea:
     envfile: ENC[AES256_GCM,data:bO1aMYm0kPTBbyPD5cweVRzNjiDK2WlWDsxz52L3faFg5HSVmBoi5DZC17XBXYw=,iv:lo9XEcwY4FPD/rRbnuiUviioMIiiphS26UgPro56DIU=,tag:0eKfsS0pYw+FPW+Y5dgisg==,type:str]
@@ -27,8 +27,8 @@ sops:
             WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
             FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-14T01:46:18Z"
-    mac: ENC[AES256_GCM,data:+RuyHG1wLykJX792bkHvRXEiW7vDYj7i2tbR0MnZZUuFcr3xQDIuCW0/XnzxeX643k4iq+h/YUer/v7tIbCh75UXTG7oxQpfJhI8zMfaxKcCZBntD+wDhEmpWhgonOR/RwOAPMPz7FntJVvt9BHnpSLVjZC7KqVPohob0DRJs2Q=,iv:p6Lov35M8SN9RIV9I3D+3cO+wi3Kd2pVe08xgWYi/tM=,tag:aOMQauv2FFEsdwaS7WOraQ==,type:str]
+    lastmodified: "2024-09-12T16:48:39Z"
+    mac: ENC[AES256_GCM,data:sYY8N0HZ05sUV7m/w5L1pFWJb2V8wZNukyUXHH0V9LMO1JlJMwCUH2XuseLGz5kz0yggAF+fty/x16PBvI5ARcpaZ23pLmNFYHtpx2tWhWcyYg/yMAqjUf19o17IZ50GpLVkmRHQbowwZF9dcHr8mEicrftZbeORzg2eKVkx8+w=,iv:0fyqOrs2XQ363uX5Dr8zuoUzkHdtsQ/v3SZidFBeSr4=,tag:1Kw1jrruxfn9lxgtL0XEMA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

From 90788e61a278230cbfce3c97b33b595e7df9b423 Mon Sep 17 00:00:00 2001
From: xinyangli <lixinyang411@gmail.com>
Date: Mon, 23 Sep 2024 20:20:56 +0800
Subject: [PATCH 6/8] colmena: switch deployUser back to xin

---
 flake.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/flake.nix b/flake.nix
index 9a9ffc3..4af8705 100644
--- a/flake.nix
+++ b/flake.nix
@@ -83,7 +83,7 @@
           ];
         };
       deploymentModule = {
-        deployment.targetUser = "root";
+        deployment.targetUser = "xin";
       };
       sharedColmenaModules = [
         self.nixosModules.default

From 3b5fc28ac64acb83a5fd2cf9f272b50bcd488e8b Mon Sep 17 00:00:00 2001
From: xinyangli <lixinyang411@gmail.com>
Date: Tue, 24 Sep 2024 10:29:14 +0800
Subject: [PATCH 7/8] bump flake

---
 flake.lock           | 78 ++++++++++++++++++++++----------------------
 home/xin/calcite.nix |  2 +-
 2 files changed, 40 insertions(+), 40 deletions(-)

diff --git a/flake.lock b/flake.lock
index 3744570..6081249 100644
--- a/flake.lock
+++ b/flake.lock
@@ -116,11 +116,11 @@
     },
     "catppuccin": {
       "locked": {
-        "lastModified": 1725509983,
-        "narHash": "sha256-NHCgHVqumPraFJnLrkanoLDuhOoUHUvRhvp/RIHJR+A=",
+        "lastModified": 1726952185,
+        "narHash": "sha256-l/HbsQjJMT6tlf8KCooFYi3J6wjIips3n6/aWAoLY4g=",
         "owner": "catppuccin",
         "repo": "nix",
-        "rev": "45745fe5960acaefef2b60f3455bcac6a0ca6bc9",
+        "rev": "630b559cc1cb4c0bdd525af506935323e4ccd5d1",
         "type": "github"
       },
       "original": {
@@ -285,11 +285,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1710146030,
-        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
         "type": "github"
       },
       "original": {
@@ -433,11 +433,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725694918,
-        "narHash": "sha256-+HsjshXpqNiJHLaJaK0JnIicJ/a1NquKcfn4YZ3ILgg=",
+        "lastModified": 1726985855,
+        "narHash": "sha256-NJPGK030Y3qETpWBhj9oobDQRbXdXOPxtu+YgGvZ84o=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "aaebdea769a5c10f1c6e50ebdf5924c1a13f0cda",
+        "rev": "04213d1ce4221f5d9b40bcee30706ce9a91d148d",
         "type": "github"
       },
       "original": {
@@ -476,11 +476,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1726036828,
-        "narHash": "sha256-ZQHbpyti0jcAKnwQY1lwmooecLmSG6wX1JakQ/eZNeM=",
+        "lastModified": 1724435763,
+        "narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "8a1671642826633586d12ac3158e463c7a50a112",
+        "rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be",
         "type": "github"
       },
       "original": {
@@ -540,11 +540,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725161148,
-        "narHash": "sha256-WfAHq3Ag3vLNFfWxKHjFBFdPI6JIideWFJod9mx1eoo=",
+        "lastModified": 1726975622,
+        "narHash": "sha256-bPDZosnom0+02ywmMZAvmj7zvsQ6mVv/5kmvSgbTkaY=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "32058e9138248874773630c846563b1a78ee7a5b",
+        "rev": "c7515c2fdaf2e1f3f49856cef6cec95bb2138417",
         "type": "github"
       },
       "original": {
@@ -564,11 +564,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1725672853,
-        "narHash": "sha256-z1O6dzCJ27OZpF680tZL0mQphQETdg4DTryvhFOpZyA=",
+        "lastModified": 1727055858,
+        "narHash": "sha256-JZldqP3uEzphER/63J8crL9O9uR7g+cNAkb+erRmN48=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "efd33fc8e5a149dd48d86ca6003b51ab3ce4ae21",
+        "rev": "de538d220bccc69ad940a53e2b50fef7e05501f2",
         "type": "github"
       },
       "original": {
@@ -579,11 +579,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1725477728,
-        "narHash": "sha256-ahej1VRqKmWbG7gewty+GlrSBEeGY/J2Zy8Nt8+3fdg=",
+        "lastModified": 1727040444,
+        "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "880be1ab837e1e9fe0449dae41ac4d034694d4ce",
+        "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac",
         "type": "github"
       },
       "original": {
@@ -623,11 +623,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1725407940,
-        "narHash": "sha256-tiN5Rlg/jiY0tyky+soJZoRzLKbPyIdlQ77xVgREDNM=",
+        "lastModified": 1726838390,
+        "narHash": "sha256-NmcVhGElxDbmEWzgXsyAjlRhUus/nEqPC5So7BOJLUM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6f6c45b5134a8ee2e465164811e451dcb5ad86e3",
+        "rev": "944b2aea7f0a2d7c79f72468106bc5510cbf5101",
         "type": "github"
       },
       "original": {
@@ -639,11 +639,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1721524707,
-        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
+        "lastModified": 1725762081,
+        "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
+        "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05",
         "type": "github"
       },
       "original": {
@@ -655,11 +655,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1726296585,
-        "narHash": "sha256-inm7AIEqfgF4wXkhWB2M5IfmdITSF90xpeDDSU3DfNc=",
+        "lastModified": 1727093669,
+        "narHash": "sha256-VUBuY1qGk0FBMBydHWyp85f/pypH6nlSXnnIJh3Z4XA=",
         "owner": "xinyangli",
         "repo": "nixpkgs",
-        "rev": "8539edfb09c674994303141378df4ab33cd765ad",
+        "rev": "67cce3820108e9ef3ecd69097089a13a2e3f5909",
         "type": "github"
       },
       "original": {
@@ -671,11 +671,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1726042813,
-        "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
+        "lastModified": 1725194671,
+        "narHash": "sha256-tLGCFEFTB5TaOKkpfw3iYT9dnk4awTP/q4w+ROpMfuw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
+        "rev": "b833ff01a0d694b910daca6e2ff4a3f26dee478c",
         "type": "github"
       },
       "original": {
@@ -713,11 +713,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1725687722,
-        "narHash": "sha256-LPv282y5okYk8ebiBsEbDXy2WykwdBPpAthjKSmTfNI=",
+        "lastModified": 1727091899,
+        "narHash": "sha256-ztA+/sTDdsba2c4JrxUcKA+RH8mKy5RO1ikCrEmcsH4=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "ff7f8143f33751c4f37caec678ed1eb63006c0d3",
+        "rev": "9134c128b0a9610bdf6771a561e185e6dfbdd05b",
         "type": "github"
       },
       "original": {
@@ -774,11 +774,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1725540166,
-        "narHash": "sha256-htc9rsTMSAY5ek+DB3tpntdD/es0eam2hJgO92bWSys=",
+        "lastModified": 1726524647,
+        "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "d9d781523a1463965cd1e1333a306e70d9feff07",
+        "rev": "e2d404a7ea599a013189aa42947f66cede0645c8",
         "type": "github"
       },
       "original": {
diff --git a/home/xin/calcite.nix b/home/xin/calcite.nix
index 71ffff6..b850d52 100644
--- a/home/xin/calcite.nix
+++ b/home/xin/calcite.nix
@@ -27,7 +27,7 @@
   };
 
   home.packages = with pkgs; [
-    # betterbird
+    betterbird
     remmina
   ];
 

From 742e2d7e48373cfb2ba42bc4038eddf1298b322b Mon Sep 17 00:00:00 2001
From: xinyangli <lixinyang411@gmail.com>
Date: Tue, 24 Sep 2024 10:53:51 +0800
Subject: [PATCH 8/8] modules/autoupgrade: init

---
 machines/massicot/default.nix                 | 18 ++---------
 machines/massicot/kanidm-provision.nix        |  3 +-
 modules/nixos/common-settings/autoupgrade.nix | 32 +++++++++++++++++++
 modules/nixos/default.nix                     |  1 +
 4 files changed, 38 insertions(+), 16 deletions(-)
 create mode 100644 modules/nixos/common-settings/autoupgrade.nix

diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix
index f74f265..ecbc6e2 100644
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@@ -1,7 +1,5 @@
 {
   inputs,
-  config,
-  libs,
   pkgs,
   ...
 }:
@@ -51,13 +49,6 @@
     efiSupport = true;
     configurationLimit = 5;
   };
-  #
-  # fileSystems."/mnt/storage" = {
-  #   device = "//u380335-sub1.your-storagebox.de/u380335-sub1";
-  #   fsType = "cifs";
-  #   options = [ "credentials=${config.sops.secrets.storage_box_mount.path}" ];
-  # };
-  #
   environment.systemPackages = with pkgs; [
     cifs-utils
     git
@@ -69,14 +60,11 @@
     hostName = "massicot";
   };
 
-  custom.kanidm-client = {
-    enable = true;
-    uri = "https://auth.xinyang.life/";
-    asSSHAuth = {
+  commonSettings = {
+    auth.enable = true;
+    nix = {
       enable = true;
-      allowedGroups = [ "linux_users" ];
     };
-    sudoers = [ "xin@auth.xinyang.life" ];
   };
 
   security.sudo = {
diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix
index bd38b03..91f86d2 100644
--- a/machines/massicot/kanidm-provision.nix
+++ b/machines/massicot/kanidm-provision.nix
@@ -139,7 +139,8 @@
         originUrl = [
           "http://localhost/"
           "http://127.0.0.1/"
-          "oc://android.owncloud.com"
+          # TODO: Should allow mobile redirect url not ending with /
+          # "oc://android.owncloud.com"
         ];
         basicSecretFile = config.sops.secrets."kanidm/ocis_android_secret".path;
         preferShortUsername = true;
diff --git a/modules/nixos/common-settings/autoupgrade.nix b/modules/nixos/common-settings/autoupgrade.nix
new file mode 100644
index 0000000..6c2cc83
--- /dev/null
+++ b/modules/nixos/common-settings/autoupgrade.nix
@@ -0,0 +1,32 @@
+{
+  config,
+  lib,
+  ...
+}:
+
+let
+  inherit (lib)
+    mkIf
+    mkEnableOption
+    mkOption
+    types
+    ;
+
+  cfg = config.commonSettings.autoupgrade;
+in
+{
+  options.commonSettings.autoupgrade = {
+    enable = mkEnableOption "auto upgrade with nixos-rebuild";
+    flake = mkOption {
+      type = types.str;
+      default = "github:xinyangli/nixos-config/deploy";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    system.autoUpgrade = {
+      enable = true;
+      flake = cfg.flake;
+    };
+  };
+}
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 36bf773..bfc36ce 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
     ./common-settings/auth.nix
+    ./common-settings/autoupgrade.nix
     ./common-settings/nix-conf.nix
     ./restic.nix
     ./vaultwarden.nix