diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix
index bcdc5f7..ac3ba94 100644
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@@ -31,9 +31,6 @@
       "miniflux/oauth2_secret" = {
         owner = "root";
       };
-      "forgejo/env" = {
-        owner = "forgejo";
-      };
     };
   };
 
diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix
index 71ca402..48c4c0b 100644
--- a/machines/massicot/kanidm-provision.nix
+++ b/machines/massicot/kanidm-provision.nix
@@ -5,9 +5,6 @@
     forgejo-access = {
       members = [ "xin" ];
     };
-    forgejo-admin = {
-      members = [ "xin" ];
-    };
     gts-users = {
       members = [ "xin" ];
     };
@@ -38,9 +35,6 @@
     miniflux-users = {
       members = [ "xin" ];
     };
-    idm_people_self_mail_write = {
-      members = [ ];
-    };
   };
   persons = {
     xin = {
@@ -67,15 +61,6 @@
       scopeMaps = {
         forgejo-access = [ "openid" "email" "profile" "groups" ];
       };
-      claimMaps = {
-        forgejo_role = {
-          joinType = "array";
-          valuesByGroup = {
-            forgejo-access = [ "Access" ];
-            forgejo-admin = [ "Admin" ];
-          };
-        };
-      };
     };
     gts = {
       displayName = "GoToSocial";
diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml
index cc3fd7f..b5ca7fe 100644
--- a/machines/massicot/secrets.yaml
+++ b/machines/massicot/secrets.yaml
@@ -1,11 +1,9 @@
 storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str]
-gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str]
+gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str]
 hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str]
-grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str]
+grafana_oauth_secret: ENC[AES256_GCM,data:2dSgxeWXNtlvbrgW9whCVuM6tfzd4lVhynwQTSPbBJndhI8scpJle7LjI1+b14FS9boBsuYO+ym4Pf1I8/jJtKkj6X6I0BmXFBC/SfpCpo+ZGrxacg==,iv:N8iTPqMagKP3hWc7n0bjgYKvaFaw11ITvDn9lUkkAPY=,tag:Cz59fA2Zq3jVvhfxaFuGAA==,type:str]
 miniflux:
-    oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str]
-forgejo:
-    env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str]
+    oauth2_secret: ENC[AES256_GCM,data:Q0JeT5VHGEDATXB9jf5+eU1Hoi9FsJrw6IK2T0bodvVgki+1oF+sWld5NGpoiXm/bQ==,iv:e8+84Zk5eXNIyIPhTG8jFhO+DCRorPFG0lDDNT4OxCs=,tag:IxlyFBcFaSy7Nz0aQCH3bw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -30,8 +28,8 @@ sops:
             dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
             V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-08-21T05:54:31Z"
-    mac: ENC[AES256_GCM,data:oNBabsDRuHjMBXynr8ytCLmv5NPyA0mRUcPJfFZjjAb9ZbGP+pquwJT3S0l2yo4Nsd0YQP8X1pGS3PEv9v+N538bxmMJJCERR7iZ5U5G4h0AvKi+UkjkveDdhPWBXhC1O+Up7reT/LLzOiZ1WUHCYRQfcb9R1RL3G2NpeYuOShk=,iv:FLmtKyZjZuGDnMjOgJdoIU9EXLQSZavs8f4q2C+Sxbk=,tag:sGoJNppCTYxZ2u2l0eMHgg==,type:str]
+    lastmodified: "2024-08-05T08:53:56Z"
+    mac: ENC[AES256_GCM,data:DtAL9k/t4pGV2UqCrb1R/1nT3gjJ8wced5yQOF5oneoncg/uuyX7IDZ0iZz0eGirj9Zadh9UQWNwxMzoiNu6pD1v04MkxT0NVDJ32vt5X+YDQJ60vRJjn9+zKvLk8Esx9sFsuBxjVXXmbtev7+djU+LbpPLfaobdheO2XlJXtdU=,iv:y2KI5ylgvuQ7ktYAr6XPEX3qyxnSP7BWC79mdsr4hgk=,tag:cvXvXeKvRwvttgQfmZRi2w==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0
diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix
index 3137765..96ede16 100644
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@@ -142,8 +142,6 @@ in
 
   services.forgejo = {
     enable = true;
-    # Use cutting edge instead of lts
-    package = pkgs.forgejo;
     repositoryRoot = "/mnt/storage/forgejo/repositories";
     lfs = {
       enable = true;
@@ -153,10 +151,11 @@ in
       service.DISABLE_REGISTRATION = true;
       server = {
         ROOT_URL = "https://git.xinyang.life/";
-        START_SSH_SERVER = false;
-        SSH_USER = config.services.forgejo.user;
+        START_SSH_SERVER = true;
+        BUILTIN_SSH_SERVER_USER = "git";
+        SSH_USER = "git";
         SSH_DOMAIN = "ssh.xinyang.life";
-        SSH_PORT = 22;
+        SSH_PORT = 2222;
         LFS_MAX_FILE_SIZE = 10737418240;
         LANDING_PAGE = "/explore/repos";
       };
@@ -167,14 +166,13 @@ in
         ENABLE_BASIC_AUTHENTICATION = false;
       };
       oauth2 = {
-        ENABLED = false; # Disable forgejo as oauth2 provider
+        ENABLE = false; # Disable forgejo as oauth2 provider
       };
       oauth2_client = {
         ACCOUNT_LINKING = "auto";
-        USERNAME = "email";
         ENABLE_AUTO_REGISTRATION = true;
-        UPDATE_AVATAR = false;
-        OPENID_CONNECT_SCOPES = "openid profile email groups";
+        UPDATE_AVATAR = true;
+        OPENID_CONNECT_SCOPES = "openid profile email";
       };
       other = {
         SHOW_FOOTER_VERSION = false;
@@ -182,22 +180,6 @@ in
     };
   };
 
-  systemd.services.forgejo = {
-    serviceConfig = {
-      EnvironmentFile = config.sops.secrets."forgejo/env".path;
-      ExecStartPost = ''
-        ${lib.getExe config.services.forgejo.package} admin auth update-oauth \
-            --id 1 \
-            --name kanidm \
-            --provider openidConnect \
-            --key forgejo \
-            --secret $CLIENT_SECRET \
-            --icon-url https://auth.xinyang.life/pkg/img/favicon.png \
-            --group-claim-name forgejo_role --admin-group Admin
-      '';
-    };
-  };
-
   services.grafana = {
     enable = true;
     settings = {
diff --git a/modules/nixos/common-settings/nix-conf.nix b/modules/nixos/common-settings/nix-conf.nix
index 5313b9f..f24dfc9 100644
--- a/modules/nixos/common-settings/nix-conf.nix
+++ b/modules/nixos/common-settings/nix-conf.nix
@@ -43,7 +43,8 @@ in
       ];
 
       extra-substituters = mkIf cfg.enableMirrors [
-        "https://mirrors.cernet.edu.cn/nix-channels/store?priority=20"
+        "https://mirrors.bfsu.edu.cn/nix-channels/store?priority=100"
+        "https://mirrors.ustc.edu.cn/nix-channels/store?priority=100"
       ];
 
       trusted-public-keys = [