chore: move caddy to common settings

chore: use deploy-next branch for test builds
chore: move tailscale to common settings
2025-05-10 00:27:51 +08:00 · 2025-05-09 13:53:02 +08:00 · 2025-05-09 13:51:02 +08:00 · 2025-05-08 21:48:39 +08:00 · 2025-05-08 21:41:02 +08:00 · 2025-05-08 17:40:52 +08:00
89 changed files with 216947 additions and 1372 deletions
--- a/.github/workflows/eval.yaml
+++ b/.github/workflows/eval.yaml
@ -0,0 +1,60 @@
+name: Eval NixOS Configurations
+
+on:
+  check_suite:
+    types: [completed]
+
+permissions:
+  contents: write
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          ref: deploy
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v25
+        with:
+          extra_nix_conf: |
+            extra-trusted-public-keys = cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=
+            extra-substituters = https://cache.garnix.io
+
+      - name: Configure Git
+        run: |
+          git config --global user.name "GitHub Actions Bot"
+          git config --global user.email "actions@github.com"
+
+      - name: Process Configurations
+        run: |
+          git checkout -b deploy-comin-eval
+          mkdir -p eval
+          hosts=$(nix flake show --json | jq -r '.nixosConfigurations | keys[]')
+          echo "Found hosts: $hosts"
+
+          failed_hosts=""
+          for host in $hosts; do
+            echo "Eval derivation for $host"
+            if ! nix derivation show ".#nixosConfigurations.$host.config.system.build.toplevel" > "eval/$host.json"; then
+              echo "❌ Failed to evaluate $host"
+              failed_hosts+="$host "
+              rm "eval/$host.json"
+            else
+              echo "✅ Successfully evaluated $host"
+            fi
+          done
+
+          echo "Failed hosts: $failed_hosts" 
+          
+          git add eval/
+          git commit -m "Update deployment configurations for all hosts"
+          
+          git push -f origin deploy-comin-eval
+
+          # After success, reset deploy-comin to new deploy
+          git checkout -b deploy-comin 
+          git reset --hard deploy
+          git push -f origin deploy-comin
--- a/.sops.yaml
+++ b/.sops.yaml
@ -9,6 +9,7 @@ keys:
  - &host-fra-00 age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s
  - &host-biotite age1v5h946jfke6ae8pcgz52mhj26cacqcpl9dmmrrkf37x55rnq2v3szqctvv
  - &host-thorite age12ng08vjx5jde5ncqutwkd5vm4ygfwy33mzhzwe0lkxzglulgpqusc89r96
+  - &host-agate age1x79t4crvt8qj34vn052s0kaj80z87np83adqra953yjpydrzkqqspt6zcj
 creation_rules:
  - path_regex: machines/secrets.yaml
    key_groups:
@ -22,6 +23,7 @@ creation_rules:
      - *host-hk-00
      - *host-fra-00
      - *host-la-00
+      - *host-agate
  - path_regex: machines/calcite/secrets.yaml
    key_groups:
    - age:
--- a/china-domain.txt
+++ b/china-domain.txt
--- a/flake.lock
+++ b/flake.lock
@ -1,12 +1,17 @@
 {
  "nodes": {
    "catppuccin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
      "locked": {
-        "lastModified": 1733001911,
-        "narHash": "sha256-uX/9m0TbdhEzuWA0muM5mI/AaWcLiDLjCCyu5Qr9MRk=",
+        "lastModified": 1746650299,
+        "narHash": "sha256-4+pxk1KcSH8ww3tgN808nNJ3E7Q8gNWI+U0sesW7mBQ=",
        "owner": "catppuccin",
        "repo": "nix",
-        "rev": "a817009ebfd2cca7f70a77884e5098d0a8c83f8e",
+        "rev": "f746600f15b69df05c84e3037749a3be5b1276d1",
        "type": "github"
      },
      "original": {
@ -26,11 +31,11 @@
        "stable": "stable"
      },
      "locked": {
-        "lastModified": 1731527002,
-        "narHash": "sha256-dI9I6suECoIAmbS4xcrqF8r2pbmed8WWm5LIF1yWPw8=",
+        "lastModified": 1739900653,
+        "narHash": "sha256-hPSLvw6AZQYrZyGI6Uq4XgST7benF/0zcCpugn/P0yM=",
        "owner": "zhaofengli",
        "repo": "colmena",
-        "rev": "e3ad42138015fcdf2524518dd564a13145c72ea1",
+        "rev": "2370d4336eda2a9ef29fce10fa7076ae011983ab",
        "type": "github"
      },
      "original": {
@ -39,25 +44,24 @@
        "type": "github"
      }
    },
-    "devshell": {
+    "comin": {
      "inputs": {
        "nixpkgs": [
-          "my-nixvim",
-          "nixvim",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1728330715,
-        "narHash": "sha256-xRJ2nPOXb//u1jaBnDP56M7v5ldavjbtR6lfGqSvcKg=",
-        "owner": "numtide",
-        "repo": "devshell",
-        "rev": "dd6b80932022cea34a019e2bb32f6fa9e494dfef",
+        "lastModified": 1743515958,
+        "narHash": "sha256-KVRJFopEeIXROx0utbNeDINLGGJ2G2ET41Ccv9A1iow=",
+        "owner": "xinyangli",
+        "repo": "comin",
+        "rev": "88e4f7cba2869acb8d738b1e8d15985a094f560f",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
-        "repo": "devshell",
+        "owner": "xinyangli",
+        "ref": "garnix-executor",
+        "repo": "comin",
        "type": "github"
      }
    },
@ -68,11 +72,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733168902,
-        "narHash": "sha256-8dupm9GfK+BowGdQd7EHK5V61nneLfr9xR6sc5vtDi0=",
+        "lastModified": 1746695246,
+        "narHash": "sha256-7Tz4PQA/iLnwJX56VdCxMB66HOiWT/i9pmSiCNHqDKc=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "785c1e02c7e465375df971949b8dcbde9ec362e5",
+        "rev": "c7e0b00007ff6c0e2a6dd5c521aeef22ccdad026",
        "type": "github"
      },
      "original": {
@ -97,46 +101,16 @@
        "type": "github"
      }
    },
-    "flake-compat_2": {
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "revCount": 57,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.0.1/018afb31-abd1-7bff-a5e4-cff7e18efb7a/source.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
-      }
-    },
-    "flake-compat_3": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1696426674,
-        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": "nixpkgs-lib"
      },
      "locked": {
-        "lastModified": 1730504689,
-        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "lastModified": 1743550720,
+        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
        "type": "github"
      },
      "original": {
@ -154,11 +128,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1730504689,
-        "narHash": "sha256-hgmguH29K2fvs9szpq2r3pz2/8cJd2LPS+b4tfNFCwE=",
+        "lastModified": 1743550720,
+        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "506278e768c2a08bec68eb62932193e341f55c90",
+        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
        "type": "github"
      },
      "original": {
@ -226,11 +200,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1726560853,
-        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
@ -239,62 +213,6 @@
        "type": "github"
      }
    },
-    "git-hooks": {
-      "inputs": {
-        "flake-compat": [
-          "my-nixvim",
-          "nixvim",
-          "flake-compat"
-        ],
-        "gitignore": "gitignore",
-        "nixpkgs": [
-          "my-nixvim",
-          "nixvim",
-          "nixpkgs"
-        ],
-        "nixpkgs-stable": [
-          "my-nixvim",
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1730814269,
-        "narHash": "sha256-fWPHyhYE6xvMI1eGY3pwBTq85wcy1YXqdzTZF+06nOg=",
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "rev": "d70155fdc00df4628446352fc58adc640cd705c2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "type": "github"
-      }
-    },
-    "gitignore": {
-      "inputs": {
-        "nixpkgs": [
-          "my-nixvim",
-          "nixvim",
-          "git-hooks",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -302,33 +220,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733754861,
-        "narHash": "sha256-3JKzIou54yjiMVmvgdJwopekEvZxX3JDT8DpKZs4oXY=",
+        "lastModified": 1746661235,
+        "narHash": "sha256-TAm/SnOT8AD3YKYOdjtg5Nmf/hCKEwc0USHBIoXV8qo=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "9ebaa80a227eaca9c87c53ed515ade013bc2bca9",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
-    "home-manager_2": {
-      "inputs": {
-        "nixpkgs": [
-          "my-nixvim",
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1731235328,
-        "narHash": "sha256-NjavpgE9/bMe/ABvZpyHIUeYF1mqR5lhaep3wB79ucs=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "60bb110917844d354f3c18e05450606a435d2d10",
+        "rev": "ec71b5162848e6369bdf2be8d2f1dd41cded88e8",
        "type": "github"
      },
      "original": {
@ -353,16 +249,16 @@
        ]
      },
      "locked": {
-        "lastModified": 1729958008,
-        "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=",
+        "lastModified": 1737371634,
+        "narHash": "sha256-fTVAWzT1UMm1lT+YxHuVPtH+DATrhYfea3B0MxG/cGw=",
        "owner": "NuschtOS",
        "repo": "ixx",
-        "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb",
+        "rev": "a1176e2a10ce745ff8f63e4af124ece8fe0b1648",
        "type": "github"
      },
      "original": {
        "owner": "NuschtOS",
-        "ref": "v0.0.6",
+        "ref": "v0.0.7",
        "repo": "ixx",
        "type": "github"
      }
@ -376,39 +272,17 @@
        "nixvim": "nixvim"
      },
      "locked": {
-        "lastModified": 1732936640,
-        "narHash": "sha256-NcluA0L+ZV5MUj3UuQhlkGCj8KoEhX/ObWlMHZ/F/ac=",
+        "lastModified": 1745412132,
+        "narHash": "sha256-TO2iwVW9qMOukTBhtqxtBOHjGH9DG40plde+53l4DPI=",
        "ref": "refs/heads/master",
-        "rev": "a3709a89797ea094f82d38edeb4a538c07c8c3fa",
-        "revCount": 20,
+        "rev": "95b077c2bacf02f844f3bc169d8a91e38474fb72",
+        "revCount": 28,
        "type": "git",
-        "url": "https://git.xinyang.life/xin/nixvim"
+        "url": "https://git.xiny.li/xin/nixvim"
      },
      "original": {
        "type": "git",
-        "url": "https://git.xinyang.life/xin/nixvim"
-      }
-    },
-    "nix-darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "my-nixvim",
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1731153869,
-        "narHash": "sha256-3Ftf9oqOypcEyyrWJ0baVkRpvQqroK/SVBFLvU3nPuc=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "5c74ab862c8070cbf6400128a1b56abb213656da",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "type": "github"
+        "url": "https://git.xiny.li/xin/nixvim"
      }
    },
    "nix-github-actions": {
@ -439,11 +313,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733629314,
-        "narHash": "sha256-U0vivjQFAwjNDYt49Krevs1murX9hKBFe2Ye0cHpgbU=",
+        "lastModified": 1746330942,
+        "narHash": "sha256-ShizFaJCAST23tSrHHtFFGF0fwd72AG+KhPZFFQX/0o=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "f1e477a7dd11e27e7f98b646349cd66bbabf2fb8",
+        "rev": "137fd2bd726fff343874f85601b51769b48685cc",
        "type": "github"
      },
      "original": {
@ -454,7 +328,6 @@
    },
    "nix-vscode-extensions": {
      "inputs": {
-        "flake-compat": "flake-compat_3",
        "flake-utils": [
          "flake-utils"
        ],
@ -463,11 +336,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733795858,
-        "narHash": "sha256-K595Q2PrZv2iiumdBkwM2G456T2lKsLD71bn/fbJiQ0=",
+        "lastModified": 1746669583,
+        "narHash": "sha256-zQbz1kINODnwY1stHEZfkpWX1D6jn/h/lEOQpQlOoRM=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "66ced222ef9235f90dbdd754ede3d6476722aaa9",
+        "rev": "2e10ad11395ac09a73ad38f0cbe975e410065ca5",
        "type": "github"
      },
      "original": {
@ -478,11 +351,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1733481457,
-        "narHash": "sha256-IS3bxa4N1VMSh3/P6vhEAHQZecQ3oAlKCDvzCQSO5Is=",
+        "lastModified": 1746621361,
+        "narHash": "sha256-T9vOxEqI1j1RYugV0b9dgy0AreiZ9yBDKZJYyclF0og=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "e563803af3526852b6b1d77107a81908c66a9fcf",
+        "rev": "2ea3ad8a1f26a76f8a8e23fc4f7757c46ef30ee5",
        "type": "github"
      },
      "original": {
@ -492,41 +365,65 @@
        "type": "github"
      }
    },
+    "nixos-sbc": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1746635197,
+        "narHash": "sha256-7tcX3LUPp7Qmi1s14Sm2qaudvRBBMJ0gvEw8dumViYU=",
+        "owner": "nakato",
+        "repo": "nixos-sbc",
+        "rev": "cf727094afb89c2f94b9f7dcf596c34d55429b88",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nakato",
+        "ref": "main",
+        "repo": "nixos-sbc",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1731139594,
-        "narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
+        "lastModified": 1744868846,
+        "narHash": "sha256-5RJTdUHDmj12Qsv7XOhuospjAjATNiTMElplWnJE9Hs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2",
+        "rev": "ebe4301cbd8f81c4f8d3244b3632338bbeb6d49c",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-lib": {
      "locked": {
-        "lastModified": 1730504152,
-        "narHash": "sha256-lXvH/vOfb4aGYyvFmZK/HlsNsr/0CVWlwYvo2rxJk3s=",
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
+        "lastModified": 1743296961,
+        "narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa",
+        "type": "github"
      },
      "original": {
-        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/cc2f28000298e1269cea6612cd06ec9979dd5d7f.tar.gz"
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1733730953,
-        "narHash": "sha256-dlK7n82FEyZlHH7BFHQAM5tua+lQO1Iv7aAtglc1O5s=",
+        "lastModified": 1735563628,
+        "narHash": "sha256-OnSAY7XDSx7CtDoqNh8jwVwh4xNL/2HaJxGjryLWzX8=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "7109b680d161993918b0a126f38bc39763e5a709",
+        "rev": "b134951a4c9f3c995fd7be05f3243f8ecd65d798",
        "type": "github"
      },
      "original": {
@ -538,11 +435,11 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1733805440,
-        "narHash": "sha256-AQdCeGt3dMV9/cchlWGMcP0Z8qM47V+B0p7cSRr+HhA=",
+        "lastModified": 1745844501,
+        "narHash": "sha256-QDm2ETNvTdjO+Uyr3FVQ11Y2hUYxKN1kc/U0NZ/Uo5o=",
        "owner": "xinyangli",
        "repo": "nixpkgs",
-        "rev": "61b1078fca3a097ce06ada68a6f2766347eed02c",
+        "rev": "7f98e3a02655e198f720b704cc51a4c9030cb735",
        "type": "github"
      },
      "original": {
@ -554,11 +451,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1733581040,
-        "narHash": "sha256-Qn3nPMSopRQJgmvHzVqPcE3I03zJyl8cSbgnnltfFDY=",
+        "lastModified": 1746461020,
+        "narHash": "sha256-7+pG1I9jvxNlmln4YgnlW4o+w0TZX24k688mibiFDUE=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "22c3f2cf41a0e70184334a958e6b124fb0ce3e01",
+        "rev": "3730d8a308f94996a9ba7c7138ede69c1b9ac4ae",
        "type": "github"
      },
      "original": {
@ -570,22 +467,16 @@
    },
    "nixvim": {
      "inputs": {
-        "devshell": "devshell",
-        "flake-compat": "flake-compat_2",
        "flake-parts": "flake-parts_2",
-        "git-hooks": "git-hooks",
-        "home-manager": "home-manager_2",
-        "nix-darwin": "nix-darwin",
        "nixpkgs": "nixpkgs",
-        "nuschtosSearch": "nuschtosSearch",
-        "treefmt-nix": "treefmt-nix"
+        "nuschtosSearch": "nuschtosSearch"
      },
      "locked": {
-        "lastModified": 1731527733,
-        "narHash": "sha256-12OpSgbLDiKmxvBXwVracIfGI9FpjFyHpa1r0Ho+NFA=",
+        "lastModified": 1745324162,
+        "narHash": "sha256-Sjb/LvtWpPtSXacjJCTrLAmWtXNJd0SWxO3PzTvD7Tc=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "f11a877bcc1d66cc8bd7990c704f91c1e99c7d08",
+        "rev": "60638182b8d1b0fe13631d02eafaf8903499ee60",
        "type": "github"
      },
      "original": {
@ -598,14 +489,14 @@
      "inputs": {
        "flake-parts": "flake-parts_3",
        "nixpkgs": "nixpkgs_3",
-        "treefmt-nix": "treefmt-nix_2"
+        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
-        "lastModified": 1733805328,
-        "narHash": "sha256-5F49/mOzFb40uUZh71uNr7kBXjDCw5ZfHMbpZjjUVBQ=",
+        "lastModified": 1746694489,
+        "narHash": "sha256-g7kaChZ34J4RabOLJt1t37dLysmOjKNxW1gEmZ8kJnQ=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "b54fa3d8c020e077d88be036a12a711b84fe2031",
+        "rev": "62161e584fcd651968963baf092a4a02931de216",
        "type": "github"
      },
      "original": {
@ -625,11 +516,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1731060242,
-        "narHash": "sha256-43yLsOm/wxBbfYSNDWVJeVv5Ij+23X3BIjFUfsdx/6M=",
+        "lastModified": 1745046075,
+        "narHash": "sha256-8v4y6k16Ra/fiecb4DxhsoOGtzLKgKlS+9/XJ9z0T2I=",
        "owner": "NuschtOS",
        "repo": "search",
-        "rev": "ef493352f9e1f051e01a55c062731503a6b36b4e",
+        "rev": "066afe8643274470f4a294442aadd988356a478f",
        "type": "github"
      },
      "original": {
@ -642,6 +533,7 @@
      "inputs": {
        "catppuccin": "catppuccin",
        "colmena": "colmena",
+        "comin": "comin",
        "disko": "disko",
        "flake-utils": "flake-utils_2",
        "home-manager": "home-manager",
@ -649,6 +541,7 @@
        "nix-index-database": "nix-index-database",
        "nix-vscode-extensions": "nix-vscode-extensions",
        "nixos-hardware": "nixos-hardware",
+        "nixos-sbc": "nixos-sbc",
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-stable": "nixpkgs-stable",
        "nur": "nur",
@ -662,11 +555,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1733785344,
-        "narHash": "sha256-pm4cfEcPXripE36PYCl0A2Tu5ruwHEvTee+HzNk+SQE=",
+        "lastModified": 1746485181,
+        "narHash": "sha256-PxrrSFLaC7YuItShxmYbMgSuFFuwxBB+qsl9BZUnRvg=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "a80af8929781b5fe92ddb8ae52e9027fae780d2a",
+        "rev": "e93ee1d900ad264d65e9701a5c6f895683433386",
        "type": "github"
      },
      "original": {
@ -722,28 +615,6 @@
      }
    },
    "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "my-nixvim",
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1730321837,
-        "narHash": "sha256-vK+a09qq19QNu2MlLcvN4qcRctJbqWkX7ahgPZ/+maI=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "746901bb8dba96d154b66492a29f5db0693dbfcc",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
-    "treefmt-nix_2": {
      "inputs": {
        "nixpkgs": [
          "nur",
--- a/flake.nix
+++ b/flake.nix
@ -43,18 +43,29 @@
    };

    my-nixvim = {
-      url = "git+https://git.xinyang.life/xin/nixvim";
+      url = "git+https://git.xiny.li/xin/nixvim";
      inputs.nixpkgs.follows = "nixpkgs";
    };

    catppuccin = {
      url = "github:catppuccin/nix";
+      inputs.nixpkgs.follows = "nixpkgs";
    };

    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    comin = {
+      url = "github:xinyangli/comin/garnix-executor";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nixos-sbc = {
+      url = "github:nakato/nixos-sbc/main";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs =
@ -72,6 +83,8 @@
      colmena,
      nix-index-database,
      disko,
+      comin,
+      nixos-sbc,
      ...
    }:
    let
@ -102,13 +115,21 @@
        self.homeManagerModules.default
        sops-nix.homeManagerModules.sops
        nix-index-database.hmModules.nix-index
-        catppuccin.homeManagerModules.catppuccin
+        catppuccin.homeModules.catppuccin
      ];
      sharedNixosModules = [
        self.nixosModules.default
        sops-nix.nixosModules.sops
+        comin.nixosModules.comin
      ];
      nodeNixosModules = {
+        weilite = [
+          ./machines/weilite
+        ];
+        agate = [
+          disko.nixosModules.disko
+          ./machines/agate
+        ];
        calcite = [
          nixos-hardware.nixosModules.asus-zephyrus-ga401
          catppuccin.nixosModules.catppuccin
@ -138,6 +159,11 @@
          disko.nixosModules.disko
          ./machines/biotite
        ];
+        baryte = [
+          nixos-sbc.nixosModules.default
+          nixos-sbc.nixosModules.boards.bananapi.bpir4
+          ./machines/baryte
+        ];
      };
      sharedColmenaModules = [
        deploymentModule
@ -162,7 +188,17 @@
          system ? null,
        }:
        nixpkgs.lib.nixosSystem {
-          modules = sharedNixosModules ++ nodeNixosModules.${hostname};
+          modules =
+            sharedNixosModules
+            ++ nodeNixosModules.${hostname}
+            ++ [
+              (
+                { lib, ... }:
+                {
+                  networking.hostName = lib.mkDefault hostname;
+                }
+              )
+            ];
        };
      # TODO:
      mkColmenaHive =
@ -193,18 +229,6 @@
          };
        };

-        massicot =
-          { ... }:
-          {
-            deployment.targetHost = "49.13.13.122";
-            deployment.buildOnTarget = true;
-
-            imports = [
-              { nixpkgs.system = "aarch64-linux"; }
-              machines/massicot
-            ] ++ sharedColmenaModules;
-          };
-
        la-00 =
          { ... }:
          {
@ -262,17 +286,6 @@
            ] ++ sharedColmenaModules;
          };

-        weilite =
-          { ... }:
-          {
-            imports = [ machines/weilite ] ++ sharedColmenaModules;
-            deployment = {
-              targetHost = "weilite.coho-tet.ts.net";
-              targetPort = 22;
-              buildOnTarget = false;
-            };
-            nixpkgs.system = "x86_64-linux";
-          };
        thorite =
          { ... }:
          {
@ -286,6 +299,16 @@
          {
            imports = nodeNixosModules.biotite ++ sharedColmenaModules;
          };
+
+        osmium =
+          { ... }:
+          {
+            deployment = {
+              targetHost = "osmium.coho-tet.ts.net";
+              buildOnTarget = false;
+            };
+            imports = nodeNixosModules.osmium ++ sharedColmenaModules;
+          };
      };

      nixosConfigurations = {
@ -293,11 +316,34 @@
          hostname = "calcite";
        };

-        osmium = mkNixos {
-          hostname = "osmium";
+        weilite = mkNixos {
+          hostname = "weilite";
+        };
+
+        agate = mkNixos {
+          hostname = "agate";
+        };
+
+        baryte = mkNixos {
+          hostname = "baryte";
        };
      } // self.colmenaHive.nodes;

+      hydraJobs =
+        let
+          includeHosts = [
+            "agate"
+            "raspite"
+            "baryte"
+            "osmium"
+          ];
+        in
+        builtins.listToAttrs (
+          map (h: {
+            name = h;
+            value = self.nixosConfigurations.${h}.config.system.build.toplevel;
+          }) includeHosts
+        );
    }
    // flake-utils.lib.eachDefaultSystem (
      system:
@ -305,7 +351,7 @@
        pkgs = nixpkgs.legacyPackages.${system};

        mkHomeConfiguration = user: host: {
-          name = user;
+          name = "${user}-${host}";
          value = home-manager.lib.homeManagerConfiguration {
            inherit pkgs;
            modules = [
@ -321,7 +367,6 @@
            packages = with pkgs; [
              nix
              git
-              colmena.packages.${system}.colmena
              sops
              nix-output-monitor
              nil
--- a/garnix.yaml
+++ b/garnix.yaml
@ -1,10 +1,38 @@
 builds:
-  include:
-    - '*.x86_64-linux.*'
-    - defaultPackage.x86_64-linux
-    - devShell.x86_64-linux
-    - homeConfigurations.x86_64-linux.*
-    - homeConfigurations.aarch64-linux.*
-    - darwinConfigurations.*
-    - nixosConfigurations.*
-
+  - include:
+      - nixosConfigurations.*
+    exclude:
+      - nixosConfigurations.osmium
+      - nixosConfigurations.raspite
+      - nixosConfigurations.agate
+      - nixosConfigurations.baryte
+    branch: deploy
+  - include:
+      - nixosConfigurations.*
+    exclude:
+      - nixosConfigurations.osmium
+      - nixosConfigurations.raspite
+      - nixosConfigurations.agate
+      - nixosConfigurations.baryte
+    branch: deploy-next
+  - include:
+      - nixosConfigurations.biotite
+    branch: testing-biotite
+  - include:
+      - nixosConfigurations.calcite
+    branch: testing-calcite
+  - include:
+      - nixosConfigurations.fra-00
+    branch: testing-fra-00
+  - include:
+      - nixosConfigurations.hk-00
+    branch: testing-hk-00
+  - include:
+      - nixosConfigurations.la-00
+    branch: testing-la-00
+  - include:
+      - nixosConfigurations.thorite
+    branch: testing-thorite
+  - include:
+      - nixosConfigurations.weilite
+    branch: testing-weilite
--- a/home/default.nix
+++ b/home/default.nix
@ -1,5 +1,6 @@
 {
  xin = {
    calcite = import ./xin/calcite.nix;
+    gold = import ./xin/gold;
  };
 }
--- a/home/xin/calcite.nix
+++ b/home/xin/calcite.nix
@ -5,6 +5,9 @@ in
 {
  imports = [
    ./common
+    ./common/pentesting.nix
+    ./common/gui/foot.nix
+    ./common/gui/default.nix
  ];

  programs.nix-index-database.comma.enable = true;
@ -41,6 +44,40 @@ in
    wechat-uos
    wpsoffice
    ttf-wps-fonts
+
+    eudic
+
+    exiftool
+    darktable
+    kdePackages.kdenlive
+    inkscape
+    gimp3
+    gthumb
+    oculante
+
+    # Multimedia
+    vlc
+    obs-studio
+    spotify
+    spot
+    # IM
+    element-desktop
+    tdesktop
+
+    # Password manager
+    bitwarden
+
+    # Browser
+    chromium
+
+    # Writting
+    zotero
+
+    # wemeet
+    wemeet
+
+    imhex
+    oidc-agent
  ];

  # Theme
@ -49,21 +86,10 @@ in
    accent = "peach";
    flavor = "mocha";
  };
-  # Missing from catppuccin module
-  services.swaync.style = pkgs.fetchurl {
-    url = "https://github.com/catppuccin/swaync/releases/download/v0.2.3/mocha.css";
-    hash = "sha256-Hie/vDt15nGCy4XWERGy1tUIecROw17GOoasT97kIfc=";
-  };

  xdg.enable = true;

  custom-hm = {
-    alacritty = {
-      enable = true;
-    };
-    cosmic-term = {
-      enable = true;
-    };
    direnv = {
      enable = true;
    };
@ -86,7 +112,7 @@ in
      };
    };
    vscode = {
-      enable = true;
+      enable = false;
      languages = {
        cxx = true;
        python = true;
@ -108,10 +134,12 @@ in

  xdg.systemDirs.data = [
    "/usr/share"
-    "/var/lib/flatpak/exports/share"
-    "${homeDirectory}/.local/share/flatpak/exports/share"
  ];

+  xdg.configFile."distrobox/distrobox.conf".text = ''
+    container_additional_volumes="/nix/store:/nix/store:ro /etc/profiles/per-user:/etc/profiles/per-user:ro"
+  '';
+
  programs.man.generateCaches = false;

  programs.atuin = {
@ -119,6 +147,14 @@ in
    flags = [ "--disable-up-arrow" ];
  };

+  programs.zathura = {
+    enable = true;
+    options = {
+      recolor = false;
+      selection-clipboard = "clipboard";
+    };
+  };
+
  programs.firefox = {
    enable = true;
    policies.DefaultDownloadDirectory = "/media/data/Downloads";
--- a/home/xin/common/gui/default.nix
+++ b/home/xin/common/gui/default.nix
@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    # File Manager
+    xfce.thunar
+    xfce.thunar-archive-plugin
+    xfce.thunar-media-tags-plugin
+    xfce.thunar-volman
+
+    swayimg
+  ];
+}
--- a/home/xin/common/gui/foot.nix
+++ b/home/xin/common/gui/foot.nix
@ -0,0 +1,15 @@
+{ pkgs, lib, ... }:
+{
+  programs.foot = {
+    enable = true;
+    settings = {
+      main = {
+        font = "monospace:size=14";
+      };
+      desktop-notifications = {
+        command = "${lib.getExe pkgs.libnotify} --wait --app-name \${app-id} --icon \${app-id} --category \${category} --urgency \${urgency} --expire-time \${expire-time} --hint STRING:image-path:\${icon} --hint BOOLEAN:suppress-sound:\${muted} --hint STRING:sound-name:\${sound-name} --replace-id \${replace-id} \${action-argument} --print-id -- \${title} \${body}";
+        inhibit-when-focused = "yes";
+      };
+    };
+  };
+}
--- a/home/xin/common/pentesting.nix
+++ b/home/xin/common/pentesting.nix
@ -0,0 +1,6 @@
+{ pkgs, ... }:
+{
+  home.packages = with pkgs; [
+    burpsuite
+  ];
+}
--- a/home/xin/raspite/default.nix
+++ b/home/xin/raspite/default.nix
@ -1,25 +0,0 @@
-{ config, pkgs, ... }:
-{
-  imports = [ ../common ];
-
-  home.username = "xin";
-  home.homeDirectory = "/home/xin";
-  home.stateVersion = "23.05";
-
-  # Let Home Manager install and manage itself.
-  programs.home-manager.enable = true;
-
-  accounts.email.accounts.gmail = {
-    primary = true;
-    address = "lixinyang411@gmail.com";
-    flavor = "gmail.com";
-  };
-
-  accounts.email.accounts.whu = {
-    address = "lixinyang411@whu.edu.cn";
-  };
-
-  accounts.email.accounts.foxmail = {
-    address = "lixinyang411@foxmail.com";
-  };
-}
--- a/machines/agate/default.nix
+++ b/machines/agate/default.nix
@ -0,0 +1,122 @@
+{ lib, ... }:
+let
+  fix-folly-build = (
+    final: prev: {
+      folly =
+        let
+          lib = prev.lib;
+          stdenv = prev.stdenv;
+        in
+        prev.folly.overrideAttrs {
+          checkPhase = ''
+            runHook preCheck
+
+            ctest -j $NIX_BUILD_CORES --output-on-failure --exclude-regex ${
+              lib.escapeShellArg (
+                lib.concatMapStringsSep "|" (test: "^${lib.escapeRegex test}$") (
+                  [
+                    "concurrency_concurrent_hash_map_test.*/ConcurrentHashMapTest/*.StressTestReclamation"
+                    "io_async_ssl_session_test.SSLSessionTest.BasicTest"
+                    "io_async_ssl_session_test.SSLSessionTest.NullSessionResumptionTest"
+                    "singleton_thread_local_test.SingletonThreadLocalDeathTest.Overload"
+
+                    # very strict timing constraints, will fail under load
+                    "io_async_hh_wheel_timer_test.HHWheelTimerTest.CancelTimeout"
+                    "io_async_hh_wheel_timer_test.HHWheelTimerTest.DefaultTimeout"
+                    "io_async_hh_wheel_timer_test.HHWheelTimerTest.DeleteWheelInTimeout"
+                    "io_async_hh_wheel_timer_test.HHWheelTimerTest.DestroyTimeoutSet"
+                    "io_async_hh_wheel_timer_test.HHWheelTimerTest.FireOnce"
+                    "io_async_hh_wheel_timer_test.HHWheelTimerTest.GetTimeRemaining"
+                    "io_async_hh_wheel_timer_test.HHWheelTimerTest.IntrusivePtr"
+                    "io_async_hh_wheel_timer_test.HHWheelTimerTest.Level1"
+                    "io_async_hh_wheel_timer_test.HHWheelTimerTest.NegativeTimeout"
+                    "io_async_hh_wheel_timer_test.HHWheelTimerTest.ReschedTest"
+                    "io_async_hh_wheel_timer_test.HHWheelTimerTest.SlowFast"
+                    "concurrent_skip_list_test.ConcurrentSkipList.ConcurrentAdd"
+                  ]
+                  ++ lib.optionals stdenv.hostPlatform.isLinux [
+                    "concurrency_cache_locality_test.CacheLocality.BenchmarkSysfs"
+                    "concurrency_cache_locality_test.CacheLocality.LinuxActual"
+                    "futures_future_test.Future.NoThrow"
+                    "futures_retrying_test.RetryingTest.largeRetries"
+                  ]
+                  ++ lib.optionals stdenv.hostPlatform.isDarwin [
+                    "buffered_atomic_test.BufferedAtomic.singleThreadUnguardedAccess"
+                    "io_async_notification_queue_test.NotificationQueueTest.UseAfterFork"
+                    "container_heap_vector_types_test.HeapVectorTypes.SimpleSetTes"
+                  ]
+                )
+              )
+            }
+
+            runHook postCheck
+          '';
+        };
+    }
+  );
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./disk-config.nix
+    ./services
+  ];
+
+  boot.loader.grub = {
+    enable = true;
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    devices = lib.mkForce [ ];
+    mirroredBoots = [
+      {
+        devices = [
+          "/dev/disk/by-partlabel/disk-ssd1-system_p1"
+        ];
+        path = "/boot0";
+      }
+      {
+        devices = [
+          "/dev/disk/by-partlabel/disk-ssd2-system_p2"
+        ];
+        path = "/boot1";
+      }
+    ];
+  };
+
+  users.users.root.hashedPassword = "$y$j9T$vgLUF3/R0RJpDu7e22fSW.$CPomHsuRziERtNGUnnMZZDQG.Vj7LCe5PUOSbvkwSV3";
+
+  commonSettings = {
+    auth.enable = true;
+    nix = {
+      enable = true;
+    };
+    comin.enable = true;
+    network.localdns.enable = true;
+  };
+  system.stateVersion = "25.05";
+  time.timeZone = "Asia/Shanghai";
+
+  nix.settings = {
+    max-jobs = 8;
+    cores = 16;
+    substituters = [ "https://cache.ngi0.nixos.org/" ];
+    trusted-public-keys = [ "cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=" ];
+  };
+
+  nixpkgs.config.contentAddressedByDefault = true;
+  nixpkgs.overlays = [ fix-folly-build ];
+
+  custom.prometheus.exporters = {
+    enable = true;
+    blackbox = {
+      enable = true;
+    };
+    node = {
+      enable = true;
+    };
+  };
+
+  custom.monitoring = {
+    promtail.enable = true;
+  };
+}
--- a/machines/agate/disk-config.nix
+++ b/machines/agate/disk-config.nix
@ -0,0 +1,132 @@
+{
+  disko.devices = {
+    disk = {
+      ssd1 = {
+        type = "disk";
+        device = "/dev/disk/by-path/pci-0004:49:00.0-sas-exp0x500e004aaaaaaa1f-phy1-lun-0";
+        content = {
+          type = "gpt";
+          partitions = {
+            BOOT = {
+              size = "1M";
+              type = "EF02";
+            };
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot0";
+              };
+            };
+            system_p1 = {
+              size = "100%";
+            };
+          };
+        };
+      };
+      ssd2 = {
+        type = "disk";
+        device = "/dev/disk/by-path/pci-0004:49:00.0-sas-exp0x500e004aaaaaaa1f-phy2-lun-0";
+        content = {
+          type = "gpt";
+          partitions = {
+            BOOT = {
+              size = "1M";
+              type = "EF02";
+            };
+            ESP = {
+              size = "500M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot1";
+              };
+            };
+            system_p2 = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = [
+                  "-f"
+                  "-d raid1"
+                  "/dev/disk/by-partlabel/disk-ssd1-system_p1"
+                ];
+                subvolumes = {
+                  # Subvolume name is different from mountpoint
+                  "/rootfs" = {
+                    mountpoint = "/";
+                  };
+                  # Subvolume name is the same as the mountpoint
+                  "/home" = {
+                    mountOptions = [ "compress=zstd" ];
+                    mountpoint = "/home";
+                  };
+                  # Parent is not mounted so the mountpoint must be set
+                  "/nix" = {
+                    mountOptions = [
+                      "compress=zstd"
+                      "noatime"
+                    ];
+                    mountpoint = "/nix";
+                  };
+                  "/persistent" = {
+                    mountOptions = [
+                      "noatime"
+                      # Lots of dbs in /var/lib, let's disable cow
+                      "nodatacow"
+                    ];
+                    mountpoint = "/var/lib";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+
+      hdd1 = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-WUH721414ALE6L0_9KGEMPVL";
+        content = {
+          type = "gpt";
+          partitions = {
+            storage_p1 = {
+              size = "100%";
+            };
+          };
+        };
+      };
+      hdd2 = {
+        type = "disk";
+        device = "/dev/disk/by-id/ata-WUH721414ALE6L0_X1G14ZNL";
+        content = {
+          type = "gpt";
+          partitions = {
+            storage_p2 = {
+              size = "100%";
+              content = {
+                type = "btrfs";
+                extraArgs = [
+                  "-f"
+                  "-d raid1"
+                  "/dev/disk/by-partlabel/disk-hdd1-storage_p1"
+                ];
+                subvolumes = {
+                  "/storage" = {
+                    mountOptions = [
+                      "compress=zstd"
+                    ];
+                    mountpoint = "/storage";
+                  };
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}
--- a/machines/agate/hardware-configuration.nix
+++ b/machines/agate/hardware-configuration.nix
@ -0,0 +1,23 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "mpt3sas" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}
--- a/machines/massicot/services/default.nix
+++ b/machines/massicot/services/default.nix
@ -1,5 +1,5 @@
 {
  imports = [
-    ./restic.nix
+    ./hydra.nix
  ];
 }
--- a/machines/agate/services/hydra.nix
+++ b/machines/agate/services/hydra.nix
@ -0,0 +1,9 @@
+{
+  services.hydra = {
+    enable = true;
+    hydraURL = "http://agate.coho-tet.ts.net:3000/";
+    notificationSender = "hydra@localhost";
+    buildMachinesFiles = [ ];
+    useSubstitutes = true;
+  };
+}
--- a/machines/agate/services/minio.nix
+++ b/machines/agate/services/minio.nix
@ -0,0 +1,6 @@
+{
+  services.minio = {
+    enable = true;
+    region = "ap-east-1";
+  };
+}
--- a/machines/baryte/default.nix
+++ b/machines/baryte/default.nix
@ -0,0 +1,19 @@
+{ config, lib, ... }:
+{
+  imports = [
+  ];
+  config = {
+    nixpkgs.hostPlatform = "aarch64-linux";
+    system.stateVersion = "25.05";
+    users.users.root.hashedPassword = "$y$j9T$NToEZWJBONjSgRnMd9Ur9/$o6n7a9b8eUILQz4d37oiHCCVnDJ8hZTZt.c.37zFfU.";
+
+    commonSettings = {
+      auth.enable = true;
+      network.localdns.enable = true;
+      serverComponents.enable = true;
+    };
+
+    services.openssh.enable = true;
+    time.timeZone = "Asia/Shanghai";
+  };
+}
--- a/machines/baryte/hardware-configuration.nix
+++ b/machines/baryte/hardware-configuration.nix
@ -0,0 +1,20 @@
+{ config, modulesPath, ... }:
+{
+  imports = [ ];
+
+  disko.devices = {
+    disk = {
+      main = {
+        type = "disk";
+        device = "/dev/vda";
+        content = {
+          type = "gpt";
+          partitions = {
+            boot = config.diskPartitions.grubMbr;
+            root = config.diskPartitions.btrfs;
+          };
+        };
+      };
+    };
+  };
+}
--- a/machines/biotite/default.nix
+++ b/machines/biotite/default.nix
@ -15,6 +15,7 @@
    ./services/hedgedoc.nix
    ./services/forgejo.nix
    ./services/vaultwarden.nix
+    ./services/kanidm.nix
  ];

  networking.hostName = "biotite";
@ -36,21 +37,9 @@

  commonSettings = {
    auth.enable = true;
+    comin.enable = true;
  };

-  custom.monitoring = {
-    promtail.enable = true;
-  };
-
-  custom.prometheus.exporters = {
-    enable = true;
-    node.enable = true;
-  };
-
-  services.tailscale.enable = true;
-
-  services.caddy.enable = true;
-
  sops = {
    defaultSopsFile = ./secrets.yaml;
    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
--- a/machines/biotite/secrets.yaml
+++ b/machines/biotite/secrets.yaml
@ -11,6 +11,8 @@ hedgedoc:
    client_secret: ENC[AES256_GCM,data:J6lRBM7V6F+gPYVyEbOzsFUQe8+3ggP0r58c655DNt7TGgKGdq95pRvLaghMmBCc,iv:i+eLYwnmG1/bKtad2iM2pwEAC3GZLNaKS5ldbubRvyY=,tag:yxaug6YdYo8RR3YOyHd/iA==,type:str]
 forgejo:
    client_secret: ENC[AES256_GCM,data:5OXhaGzBCbge2tvTaU4ry6/KoavQeYJ45EuakCQJlxb5gMXjRK/s+feF25YJSr2f,iv:TT8j+ciKeSQCZzu1E7D70hWNFpn0cGiomz7jURXjavc=,tag:JVJR033Pc2vaLudaovkl8w==,type:str]
+vaultwarden:
+    admin_token: ENC[AES256_GCM,data:hRmnuehfMk3bF7tkxShnAGH1OB/yyCyaJqhdJQvSmVMtr6Cz7j1ZEeqfRI+jrqOi,iv:xYmP0Kwp5XkCcJWjqLwFOxRtUxIUH1r1fLUr5xyvpWo=,tag:Yj2nME07cA+ve3ipN6Ehqg==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -35,8 +37,8 @@ sops:
            RzBMVDNjS29SUkdRK3dIV01sU0hYR3cK1SbvKAM6Gpsffv3HIi/WtWnCZUBic0AT
            ZRv4pvJBx1oxWsKIHW0t6VrqWMQ+suup8p6dW+h5HE8Z4ciIMrXLEg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-04T05:07:32Z"
-    mac: ENC[AES256_GCM,data:hD7645epMVYHU6K1AZsHu+fp/PMIqqiZpv7K4Vxzo84slzn0CfZSYaVaYxKNGjOIgEGN9D2FFmq9WL6ChMskMfqqafY7qDpSQqFp9TUwb5jN34XcQg9vplfNw+lMqsnDCt1HENWErRnlDxTI2ctSEcx3UKGBOQ3ttLzUIySdnFY=,iv:reOsqvc8E3l8yxb5gVcqF/rU2o2yKmaUyGNRNT+Skx8=,tag:eBoV8G+X0cPs3Q1xAuv55w==,type:str]
+    lastmodified: "2025-03-23T13:32:31Z"
+    mac: ENC[AES256_GCM,data:9xbcK+hl+tZTyikCpIOY6YBgaY8AOvaekyKTbQ47KJkQeNb3eyfAxBB1kivu/LU8H8pWWST8GpL/umllbwMzjRLVXU63CQle5cDuDVq9ySPMdxhmxyZ23bKJp7jUzTrGQMm+jnguCuCMxEeDo+R0ZD8a2nvbBT1XKYyVFSBB/0E=,iv:D5RrNSRa7bxivGCu24YT0nO0vuorSEK1VNVOEsJIfaA=,tag:xXXk9uCqZpr4RYqfnF0Ogw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.4
--- a/machines/biotite/services/forgejo.nix
+++ b/machines/biotite/services/forgejo.nix
@ -69,28 +69,29 @@ in
  systemd.services.forgejo = {
    serviceConfig = {
      EnvironmentFile = config.sops.templates."forgejo/env".path;
-      preStart =
-        let
-          providerName = "kanidm";
-          args = lib.concatStringsSep " " [
-            "--name ${providerName}"
-            "--provider openidConnect"
-            "--key forgejo"
-            "--secret $CLIENT_SECRET"
-            "--icon-url ${idpUrl}/pkg/img/favicon.png"
-            "--group-claim-name forgejo_role --admin-group Admin"
-          ];
-          exe = getExe config.services.forgejo.package;
-        in
-        ''
-          provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
-          if [[ -z "$provider_id" ]]; then
-            ${exe} admin auth add-oauth ${args}
-          else
-            ${exe} admin auth update-oauth --id "$provider_id" ${args}
-          fi
-        '';
    };
+    preStart =
+      let
+        providerName = "kanidm";
+        args = lib.concatStringsSep " " [
+          "--name ${providerName}"
+          "--provider openidConnect"
+          "--key forgejo"
+          "--secret $CLIENT_SECRET"
+          "--auto-discover-url https://${idpUrl}/oauth2/openid/forgejo/.well-known/openid-configuration"
+          "--icon-url https://${idpUrl}/pkg/img/favicon.png"
+          "--group-claim-name forgejo_role --admin-group Admin"
+        ];
+        exe = getExe config.services.forgejo.package;
+      in
+      ''
+        provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
+        if [[ -z "$provider_id" ]]; then
+          ${exe} admin auth add-oauth ${args}
+        else
+          ${exe} admin auth update-oauth --id "$provider_id" ${args}
+        fi
+      '';
  };

  users.users.git = {
--- a/machines/biotite/services/gotosocial.nix
+++ b/machines/biotite/services/gotosocial.nix
@ -26,7 +26,7 @@ in
      instance-expose-public-timeline = true;
      oidc-enabled = true;
      oidc-idp-name = "Kanidm";
-      oidc-issuer = "${idpUrl}/oauth2/openid/gotosocial";
+      oidc-issuer = "https://${idpUrl}/oauth2/openid/gotosocial";
      oidc-client-id = "gotosocial";
      oidc-link-existing = true;
    };
--- a/machines/biotite/services/hedgedoc.nix
+++ b/machines/biotite/services/hedgedoc.nix
@ -20,10 +20,10 @@ in
      email = false;
      allowEmailRegister = false;
      oauth2 = {
-        baseURL = "${idpUrl}/oauth2/openid/hedgedoc";
-        authorizationURL = "${idpUrl}/ui/oauth2";
-        tokenURL = "${idpUrl}/oauth2/token";
-        userProfileURL = "${idpUrl}/oauth2/openid/hedgedoc/userinfo";
+        baseURL = "https://${idpUrl}/oauth2/openid/hedgedoc";
+        authorizationURL = "https://${idpUrl}/ui/oauth2";
+        tokenURL = "https://${idpUrl}/oauth2/token";
+        userProfileURL = "https://${idpUrl}/oauth2/openid/hedgedoc/userinfo";
        userProfileEmailAttr = "email";
        userProfileUsernameAttr = "name";
        userProfileDisplayNameAttr = "preferred_name";
--- a/machines/biotite/services/kanidm-provision.nix
+++ b/machines/biotite/services/kanidm-provision.nix
@ -177,8 +177,11 @@ in
          "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"
          "https://immich.xinyang.life:8000/auth/login"
          "https://immich.xinyang.life:8000/user-settings"
+          "https://immich.xiny.li:8443/api/oauth/mobile-redirect/"
+          "https://immich.xiny.li:8443/auth/login"
+          "https://immich.xiny.li:8443/user-settings"
        ];
-        originLanding = "https://immich.xinyang.life:8000/auth/login?autoLaunch=0";
+        originLanding = "https://immich.xiny.li:8443/auth/login?autoLaunch=0";
        allowInsecureClientDisablePkce = true;
        scopeMaps = {
          immich-users = [
--- a/machines/biotite/services/kanidm.nix
+++ b/machines/biotite/services/kanidm.nix
@ -0,0 +1,54 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  kanidm_listen_port = 5324;
+  inherit (config.my-lib.settings) idpUrl;
+in
+{
+  imports = [
+    ./kanidm-provision.nix
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    certs.${idpUrl} = {
+      email = "lixinyang411@gmail.com";
+      listenHTTP = "127.0.0.1:1360";
+      group = "kanidm";
+    };
+  };
+
+  services.kanidm = {
+    package = lib.mkForce pkgs.kanidmWithSecretProvisioning_1_5;
+    enableServer = true;
+    serverSettings = {
+      domain = idpUrl;
+      origin = "https://${idpUrl}";
+      bindaddress = "[::]:${toString kanidm_listen_port}";
+      tls_key = ''${config.security.acme.certs.${idpUrl}.directory}/key.pem'';
+      tls_chain = ''${config.security.acme.certs.${idpUrl}.directory}/fullchain.pem'';
+      online_backup.versions = 7;
+      # db_path = "/var/lib/kanidm/kanidm.db";
+    };
+  };
+
+  services.caddy = {
+    enable = true;
+    virtualHosts."http://${idpUrl}".extraConfig = ''
+      reverse_proxy ${config.security.acme.certs.${idpUrl}.listenHTTP}
+    '';
+    virtualHosts."https://${idpUrl}".extraConfig = ''
+      reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
+          header_up Host {upstream_hostport}
+          header_down Access-Control-Allow-Origin "*"
+          transport http {
+              tls_server_name ${config.services.kanidm.serverSettings.domain}
+          }
+      }
+    '';
+  };
+}
--- a/machines/biotite/services/miniflux.nix
+++ b/machines/biotite/services/miniflux.nix
@ -17,7 +17,7 @@ in
      OAUTH2_CLIENT_ID = "miniflux";
      OAUTH2_CLIENT_SECRET_FILE = "%d/oauth2_secret";
      OAUTH2_REDIRECT_URL = "${minifluxUrl}/oauth2/oidc/callback";
-      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "${idpUrl}/oauth2/openid/miniflux";
+      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://${idpUrl}/oauth2/openid/miniflux";
      OAUTH2_USER_CREATION = 1;
      CREATE_ADMIN = 0;
    };
--- a/machines/biotite/services/synapse.nix
+++ b/machines/biotite/services/synapse.nix
@ -29,6 +29,13 @@ in
    '';
  };

+  # TODO: Waiting for https://github.com/NixOS/nixpkgs/issues/367976
+  nixpkgs.overlays = [
+    (final: prev: {
+      matrix-synapse-unwrapped = prev.matrix-synapse-unwrapped.overridePythonAttrs { doCheck = false; };
+    })
+  ];
+
  services.matrix-synapse = {
    enable = true;
    withJemalloc = true;
@ -78,11 +85,11 @@ in
      oidc_providers = [
        {
          idp_id = "Kanidm";
-          idp_name = lib.removePrefix "https://" idpUrl;
-          issuer = "${idpUrl}/oauth2/openid/synapse";
-          authorization_endpoint = "${idpUrl}/ui/oauth2";
-          token_endpoint = "${idpUrl}/oauth2/token";
-          userinfo_endpoint = "${idpUrl}/oauth2/openid/synapse/userinfo";
+          idp_name = idpUrl;
+          issuer = "https://${idpUrl}/oauth2/openid/synapse";
+          authorization_endpoint = "https://${idpUrl}/ui/oauth2";
+          token_endpoint = "https://${idpUrl}/oauth2/token";
+          userinfo_endpoint = "https://${idpUrl}/oauth2/openid/synapse/userinfo";
          client_id = "synapse";
          client_secret_path = config.sops.secrets."synapse/oidc_client_secret".path;
          scopes = [
@ -113,8 +120,4 @@ in
      reverse_proxy /_synapse/client/* 127.0.0.1:${toString port-synapse}
    '';
  };
-
-  networking.firewall.allowedTCPPorts = [
-    443
-  ];
 }
--- a/machines/biotite/services/vaultwarden.nix
+++ b/machines/biotite/services/vaultwarden.nix
@ -3,6 +3,18 @@ let
  inherit (config.my-lib.settings) vaultwardenUrl;
 in
 {
+
+  sops.secrets."vaultwarden/admin_token" = {
+    owner = "vaultwarden";
+  };
+
+  sops.templates."vaultwarden.env" = {
+    owner = "vaultwarden";
+    content = ''
+      ADMIN_TOKEN=${config.sops.placeholder."vaultwarden/admin_token"}
+    '';
+  };
+
  services.vaultwarden = {
    enable = true;
    dbBackend = "sqlite";
@ -15,6 +27,7 @@ in

      ROCKET_LOG = "normal";
    };
+    environmentFile = config.sops.templates."vaultwarden.env".path;
  };

  services.caddy = {
--- a/machines/calcite/configuration.nix
+++ b/machines/calcite/configuration.nix
@ -5,7 +5,8 @@
  ...
 }:
 let
-  inherit (lib) mkForce getExe;
+  inherit (lib) getExe;
+  inherit (config.my-lib.settings) idpUrl;
 in
 {
  imports = [
@ -16,22 +17,32 @@ in
  ];

  commonSettings = {
-    # auth.enable = true;
+    auth.enable = true;
    nix = {
      signing.enable = true;
    };
+    comin.enable = true;
+    network.localdns.enable = true;
  };

+  nix.settings.substituters = [
+    "https://nix-community.cachix.org"
+  ];
+  nix.settings.trusted-public-keys = [
+    # Compare to the key published at https://nix-community.org/cache
+    "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+  ];
+
  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  # boot.kernelPackages = pkgs.linuxPackages_latest;
  boot.kernelModules = [
    "nvidia"
    "nvidia_modeset"
    "nvidia_uvm"
  ];
+  hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.latest;
  boot.supportedFilesystems = [ "ntfs" ];
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];

@ -49,10 +60,10 @@ in
    # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
    tctiEnvironment.enable = true;
  };
-  # services.gnome.gnome-keyring.enable = lib.mkForce false;
  security.pam.services.login.enableGnomeKeyring = lib.mkForce false;

  programs.ssh.agentPKCS11Whitelist = "${config.security.tpm2.pkcs11.package}/lib/libtpm_pkcs11.so";
+  programs.gnupg.agent.pinentryPackage = pkgs.pinentry-gtk2;

  networking.hostName = "calcite";

@ -151,6 +162,15 @@ in
  services.keyd = {
    enable = true;
    keyboards = {
+      default = {
+        ids = [ "*" ];
+        settings = {
+          main = {
+            capslock = "overload(control, esc)";
+            control = "overload(control, esc)";
+          };
+        };
+      };
      "internal" = {
        ids = [ "0b05:1866" ];
        settings = {
@ -165,18 +185,6 @@ in
        settings = {
          main = {
            mouse2 = "leftmeta";
-            # leftalt = "mouse1";
-          };
-        };
-      };
-      "keydous" = {
-        ids = [
-          "25a7:fa14"
-          "3151:4002"
-        ];
-        settings = {
-          main = {
-            capslock = "overload(control, esc)";
          };
        };
      };
@ -187,12 +195,16 @@ in
  services.printing.enable = true;
  services.printing.drivers = [
    pkgs.hplip
+    pkgs.gutenprint
    pkgs.gutenprintBin
-    pkgs.canon-cups-ufr2
  ];
+  hardware.sane = {
+    enable = true;
+    extraBackends = [ pkgs.hplipWithPlugin ];
+  };

-  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;
+  services.avahi.enable = true;
  services.pipewire = {
    enable = true;
    wireplumber.enable = true;
@ -212,16 +224,10 @@ in
      "wheel"
      "wireshark"
      "tss"
+      "scanner"
    ];
  };

-  services.kanidm = {
-    enableClient = true;
-    clientSettings = {
-      uri = "https://auth.xinyang.life";
-    };
-  };
-
  # Smart services
  services.smartd.enable = true;

@ -230,36 +236,9 @@ in
  nixpkgs.config.allowUnfree = true;
  nixpkgs.config.permittedInsecurePackages = [
    "openssl-1.1.1w"
-    # FIXME: Waiting for https://github.com/NixOS/nixpkgs/pull/335753
-    "jitsi-meet-1.0.8043"
  ];
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
  environment.systemPackages = with pkgs; [
-    imhex
-    oidc-agent
-    # Filesystem
-    (owncloud-client.overrideAttrs (
-      finalAttrs: previousAttrs: {
-        src = pkgs.fetchFromGitHub {
-          owner = "xinyangli";
-          repo = "client";
-          rev = "780d1c4c8bf02be42e118c792ff833ab10c2fdcc";
-          hash = "sha256-pEwcGJI9sN9nooW/RQHmi52Du6yzofgZeB8PcjwPtZ8=";
-        };
-      }
-    ))
-    nfs-utils
-
-    # tesseract5 # ocr
-    ocrmypdf # pdfocr
-
-    gtkwave
-    bubblewrap
-
    # ==== Development ==== #
-    # Python
-    # reference: https://nixos.wiki/wiki/Python
    (
      let
        my-python-packages =
@ -277,31 +256,13 @@ in

    # ==== GUI Softwares ==== #

-    eudic
-
    bibata-cursors
-    gthumb
-    oculante

-    # Multimedia
-    vlc
-    obs-studio
-    spotify
-    # IM
-    element-desktop
-    tdesktop
-
-    # Password manager
-    bitwarden
-
-    # Browser
-    chromium
-
-    # Writting
-    zotero
-    # onlyoffice-bin
-
-    wemeet
+    (epsonscan2.overrideAttrs (
+      finalAttrs: prevAttrs: {
+        patches = prevAttrs.patches ++ [ ./fix-crash.patch ];
+      }
+    ))

    virt-manager
    wineWowPackages.waylandFull
@ -325,9 +286,25 @@ in
      owner = "xin";
      sopsFile = ./secrets.yaml;
    };
-    "gitea/envfile" = {
-      owner = "root";
+    "davfs2/photosync_password" = {
      sopsFile = ./secrets.yaml;
+      mode = "0600";
+    };
+  };
+
+  sops.templates."davfs2.conf" = {
+    owner = config.services.davfs2.davUser;
+    content = ''
+      https://weilite.coho-tet.ts.net:6065/photosync photosync ${
+        config.sops.placeholder."davfs2/photosync_password"
+      }
+    '';
+  };
+
+  environment.etc = {
+    "davfs2/secrets" = {
+      source = config.sops.templates."davfs2.conf".path;
+      mode = "0600";
    };
  };

@ -339,20 +316,6 @@ in
    ];
  };

-  # custom.forgejo-actions-runner = {
-  #   enable = false;
-  #   tokenFile = config.sops.secrets."gitea/envfile".path;
-  #   settings = {
-  #     runner.capacity = 2;
-  #     runner.fetch_timeout = "120s";
-  #     runner.fetch_interval = "30s";
-  #   };
-  # };
-  #
-  custom.prometheus = {
-    exporters.node.enable = true;
-  };
-
  services.ollama = {
    enable = true;
    acceleration = "cuda";
@ -363,6 +326,32 @@ in

  services.flatpak.enable = true;

+  services.davfs2 = {
+    enable = true;
+    settings = {
+      globalSection = {
+        use_locks = 1;
+        gui_optimize = 1;
+        table_size = 4096;
+        cache_size = 10240;
+      };
+    };
+  };
+
+  fileSystems = {
+    "/media/photosync" = {
+      device = "https://weilite.coho-tet.ts.net:6065/photosync";
+      fsType = "davfs";
+      options = [
+        "rw"
+        "uid=1000"
+        "nodev"
+        "nosuid"
+        "nofail"
+      ];
+    };
+  };
+
  # Fonts
  fonts = {
    packages = with pkgs; [
--- a/machines/calcite/fix-crash.patch
+++ b/machines/calcite/fix-crash.patch
@ -0,0 +1,36 @@
+diff -uNr a/src/Controller/Src/Finder/UsbFinder.cpp b/src/Controller/Src/Finder/UsbFinder.cpp
+--- a/src/Controller/Src/Finder/UsbFinder.cpp	2024-10-05 01:47:57.530027467 +0800
+++ b/src/Controller/Src/Finder/UsbFinder.cpp	2024-10-07 01:58:36.293405252 +0800
+@@ -119,14 +119,26 @@
+                                     sprintf(const_cast<char*>(devInfo.displayName), "%s", "DS-5500/DS-6500/DS-7500");
+                                     isValidDeviceInfo = true;
+                                 }
+                                else if (dd.idProduct == 0x14A)
+                                {
+                                    sprintf(const_cast<char*>(devInfo.displayName), "%s", "Perfection V37/V370");
+                                    isValidDeviceInfo = true;
+                                }
+                                 else
+                                 {
+-                                sprintf((char*)strDescWithAddress, "%s:%s", strDesc, serialNumber);
+-                                 strncpy(const_cast<char*>(devInfo.displayName),(const char*)strDescWithAddress, MAX_DISPLAYNAME - 1);
+-                                 if (strlen(devInfo.displayName) != 0 || searchSecondDevice)
+-                                 {
+-                                     isValidDeviceInfo = true;
+-                                 }
+                                    if (dd.iSerialNumber == 0)
+                                    {
+                                        sprintf((char*)strDescWithAddress, "%s", strDesc);
+                                    } 
+                                    else
+                                    {
+                                        sprintf((char*)strDescWithAddress, "%s:%s", strDesc, serialNumber);
+                                    }
+                                    strncpy(const_cast<char*>(devInfo.displayName),(const char*)strDescWithAddress, MAX_DISPLAYNAME - 1);
+                                    if (strlen(devInfo.displayName) != 0 || searchSecondDevice)
+                                    {
+                                        isValidDeviceInfo = true;
+                                    }
+                                 }
+                                 libusb_close (devHandle);
+                                 devHandle = nullptr;
--- a/machines/calcite/hardware-configuration.nix
+++ b/machines/calcite/hardware-configuration.nix
@ -18,7 +18,6 @@
    "ahci"
    "usbhid"
  ];
-  boot.initrd.kernelModules = [ ];

  boot.initrd = {
    systemd.enable = true; # initrd uses systemd
@ -31,10 +30,8 @@
    };
  };
  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];

  fileSystems."/" = {
-    # device = "/dev/disk/by-label/NIXROOT";
    device = "/dev/mapper/cryptroot";
    fsType = "btrfs";
  };
@ -57,16 +54,6 @@

  swapDevices = [ { device = "/dev/disk/by-label/NIXSWAP"; } ];

-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.tailscale0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.virbr0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wg0.useDHCP = lib.mkDefault true;
-  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
-
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
  hardware.graphics = {
--- a/machines/calcite/network.nix
+++ b/machines/calcite/network.nix
@ -1,46 +1,24 @@
 {
-  config,
  pkgs,
-  lib,
  ...
 }:
-
 {
  imports = [ ];

-  # Enable networking
  networking = {
    networkmanager = {
      enable = true;
-      dns = "systemd-resolved";
+      dns = "default";
+      settings = {
+        main = {
+          rc-manager = "resolvconf";
+        };
+      };
    };
  };

-  services.resolved = {
-    enable = true;
-    extraConfig = ''
-      Cache=no
-    '';
-  };
-
-  # Enable Tailscale
-  services.tailscale.enable = true;
-  # services.tailscale.useRoutingFeatures = "both";
-
-  services.dae.enable = true;
-  services.dae.configFile = "/var/lib/dae/config.dae";
-  systemd.services.dae.after = lib.mkIf (config.networking.networkmanager.enable) [
-    "NetworkManager-wait-online.service"
-  ];
-
  # Open ports in the firewall.
  networking.firewall.enable = true;
-  networking.firewall.allowedTCPPorts = [ 3389 ];
-  networking.firewall.allowedUDPPorts = [
-    3389
-    41641
-  ];
-  networking.firewall.trustedInterfaces = [ "tailscale0" ];
  # Use nftables to manager firewall
  networking.nftables.enable = true;

--- a/machines/calcite/secrets.yaml
+++ b/machines/calcite/secrets.yaml
@ -1,13 +1,9 @@
 restic:
    repo_url: ENC[AES256_GCM,data:x/g1nZQ59SavVG+u5apNmBQ0Y5uQ9N0EKVh6qovqeP/Z7tmkudJtlBFD35C0ZidcQLAqTaZk1FFh8Ikjo4OcQSdTsx9BGvT4,iv:RQMOSEacDHXjYceBaAW4sFGk38vkijHuADcTS3DMxa8=,tag:769rLA2eRKjDrAaL/jERbA==,type:str]
    repo_password: ENC[AES256_GCM,data:jqsIP1R5/yX8F0oYaSXACx6C,iv:KckzqctKLnmay+d30/Y4IttiASxYnMw6IHQrtwP2YdQ=,tag:L/Ij51UU1om48I8fd4iuwA==,type:str]
-gitea:
-    envfile: ENC[AES256_GCM,data:CK+JNELuzjKgWnImuV4Euif3f3nNOACOrvc4NiIXs+q/F7QWrtpb3TK8/FrLNQk=,iv:QSDrlKJCBld2gDx/y1sT8anh37GhqSS2QZd2JJi5Yis=,tag:x5T6h59LBXhEyVwSr2dnuQ==,type:str]
+davfs2:
+    photosync_password: ENC[AES256_GCM,data:J3+pJCjjV+hlPC2il5f7Vn+9k+Aatolgut1DX1G+JF4=,iv:OgZn6Glho3Cfrl0GJhGSbmcYjSe6sjM9PjvEZnM/c4w=,tag:i5AVG139nK3ecK3VwWpQuQ==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
          enc: |
@ -27,8 +23,7 @@ sops:
            WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
            FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-28T03:55:19Z"
-    mac: ENC[AES256_GCM,data:VH7RnRT33ltsxycuSsUsM+64onQeClwQ3fIHUVQUyRJ6t7aJkBiGMQ80QtmwGE5CJTbq7LV4cis5Pq/f9vTb0SsY4tCSIgXNAE2zW2rjjQKjdHr+rnnKSJExJA+k2tL06Q/FUu+3SP7pVSaYBGQKb53UAbHsdJYbx00Ko6MzZ7U=,iv:EiYhbr6o4n3kGEEWKXeWmDPSb5hOvUhRH7N2ZLPRHmQ=,tag:BdI140bhvBW0bwQPpRYiRw==,type:str]
-    pgp: []
+    lastmodified: "2025-05-08T09:47:09Z"
+    mac: ENC[AES256_GCM,data:pBryBOfgVYROAJ6LfqpEXz8ph4bcAoWLADibpET0jwb4CBNuEW9BWXzVu+Ci+gKjKhSxh8xwr+TLSvo8zNOeGz/Mdl2vVaEWNKX4dUMMd9IXRJ+8jSlhxkMWPi25xoiMjY763MgOnBYsdqPpKKB1xLHkRtULAHlZ2m3VhVWxMWM=,iv:egYcxVjCH4uPbHvCcU9MVCRHoDbNH8tYet1vyDf9nhw=,tag:DDBC0TSdsnaF3SFTuH6rOQ==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.10.2
--- a/machines/dolomite/claw.nix
+++ b/machines/dolomite/claw.nix
@ -35,7 +35,11 @@
    systemd.network.enable = true;
    systemd.network.networks."10-wan" = {
      matchConfig.MACAddress = "00:16:3e:0a:ec:45";
-      networkConfig.DHCP = "ipv4";
+      networkConfig = {
+        DHCP = "ipv4";
+        LinkLocalAddressing = "no";
+        IPv6AcceptRA = "no";
+      };
      dhcpV4Config = {
        UseDNS = true;
      };
--- a/machines/dolomite/common.nix
+++ b/machines/dolomite/common.nix
@ -33,16 +33,17 @@
      promtail.enable = true;
    };

-    services.tailscale.enable = true;
-
    commonSettings = {
      auth.enable = true;
+      comin.enable = true;
+      serverComponents.enable = true;
      proxyServer = {
        enable = true;
        users = [
          "wyj"
          "yhb"
          "xin"
+          "zx"
        ];
      };
    };
--- a/machines/dolomite/secrets/secrets.yaml
+++ b/machines/dolomite/secrets/secrets.yaml
@ -9,6 +9,9 @@ sing-box:
        xin:
            password: ENC[AES256_GCM,data:SRiPFO+Uwy/PT41SIg7eI68wk4AX6so=,iv:aXwP5wa1IrlnvFo/ZL+DYFFHDdWw2Z83de3ApHUTsXo=,tag:sxXoy1FnDxZBQCDeNxphzQ==,type:str]
            uuid: ENC[AES256_GCM,data:7xK53SO4x0tOIEIYl6kmmAvnpdsR/tYQoG1t/ytsnO4QqWY3,iv:i694Fnu7g1OA3IGzSaoSGA5/eMPo+I/1TZbYuaQrgNA=,tag:4cUlioJn/IvsvZclgboOSA==,type:str]
+        zx:
+            password: ENC[AES256_GCM,data:UkRaj5aadq8Ea3j3wh6YQDzxmew=,iv:vrJ7h97KaWmp7+rkYowdTDI7HIq71ZUIERE3o0BY5Fc=,tag:YEPydn9fLmEBYBDD//6Pfw==,type:str]
+            uuid: ENC[AES256_GCM,data:W+qXN1Xa5ZMXRQh+7dtZkExFrp6qqEOkoxn8Fj5qQ5U23ytz,iv:559UEoMyY3/RfmwJLFCerkuV0DjTbhaRPbW56toxMEU=,tag:pv706bZgEblyGS7V9mwABA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -51,8 +54,8 @@ sops:
            K1F1SzI2NFNIKzlreVBXSjAxaUxQd28KFaf1uu7OlqIe0TirJFgS3iPjhXPyfNDE
            m2XUjzdXp+chJCzVOFvpYStqz+e08ADEc+jp3YsTLcxyqvXhQdyL/Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-06T04:35:52Z"
-    mac: ENC[AES256_GCM,data:DAg4UTwNv+rs6hye2z5UUtA1a4yZbFaAWjLoKAXf87tKgBCZzK8C1q6gLyTQOqp07ptYQd5Q951kfE1a/35SFJsubREzJmu6haxznRgq7pO5HDGqgtjYEHsngsWZh3bUSX/aG2dLISdD81VY68nLzTO0r4h/SL6DNG36RzJgL8E=,iv:V0WhENNt/Szi5VWVD2t5AsWP1tOZUGjFjMNYPDq59XI=,tag:ThRstdzVNtSs6E7qlvKPOw==,type:str]
+    lastmodified: "2025-01-31T07:11:08Z"
+    mac: ENC[AES256_GCM,data:CYOPIN29pg5ldsLgkMaqSqKmTKusSBKVVifU2eGPIEILcYEwMmmGkvCH7jG8+QnOicfSTIonA0sPBO/g36X5bLhQIcmzUEnImSXVFLXpvHM2haIxPSHG/xvaLbIPcHMKvHbeyIGIhIdfPp7ssyH1Aa/+PgtfTIMUeOFbIWykgfE=,iv:+u7kyGUgmeEJ2T6rnBS9ACAk4Ka2OPJrz4sCZLVTPP8=,tag:d2eimY7wGwoQZZEh3d0UZA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@ -1,74 +0,0 @@
-{
-  pkgs,
-  ...
-}:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-    ./networking.nix
-    ./services.nix
-    ./services
-  ];
-
-  sops = {
-    defaultSopsFile = ./secrets.yaml;
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    secrets = {
-      gts_env = {
-        owner = "gotosocial";
-      };
-    };
-  };
-
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.efi.efiSysMountPoint = "/boot";
-  boot.loader.grub = {
-    enable = true;
-    efiSupport = true;
-    configurationLimit = 5;
-  };
-  environment.systemPackages = with pkgs; [
-    cifs-utils
-    git
-  ];
-
-  # Disable docs on servers
-  documentation.nixos.enable = false;
-  documentation.man.enable = false;
-
-  system.stateVersion = "22.11";
-
-  networking = {
-    hostName = "massicot";
-  };
-
-  services.tailscale.enable = true;
-
-  commonSettings = {
-    auth.enable = true;
-    nix = {
-      enable = true;
-    };
-  };
-
-  security.sudo = {
-    execWheelOnly = true;
-    wheelNeedsPassword = false;
-  };
-
-  services.openssh = {
-    enable = true;
-    settings = {
-      PasswordAuthentication = false;
-      KbdInteractiveAuthentication = false;
-      PermitRootLogin = "no";
-      GSSAPIAuthentication = "no";
-      KerberosAuthentication = "no";
-    };
-  };
-  services.fail2ban.enable = true;
-  programs.mosh.enable = true;
-
-  systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
-}
--- a/machines/massicot/hardware-configuration.nix
+++ b/machines/massicot/hardware-configuration.nix
@ -1,32 +0,0 @@
-{ modulesPath, ... }:
-{
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-  boot.loader.grub = {
-    efiSupport = true;
-    device = "nodev";
-  };
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/AC27-D9D6";
-    fsType = "vfat";
-  };
-  boot.initrd.availableKernelModules = [
-    "ata_piix"
-    "uhci_hcd"
-    "xen_blkfront"
-  ];
-  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = {
-    device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_35068215-part1";
-    fsType = "ext4";
-  };
-
-  fileSystems."/mnt/storage" = {
-    device = "/dev/disk/by-id/scsi-0HC_Volume_101302395";
-    fsType = "btrfs";
-    options = [
-      "subvol=storage"
-      "compress=zstd"
-      "noatime"
-    ];
-  };
-}
--- a/machines/massicot/networking.nix
+++ b/machines/massicot/networking.nix
@ -1,14 +0,0 @@
-{ pkgs, ... }:
-{
-  networking.useNetworkd = true;
-  systemd.network.networks."10-wan" = {
-    matchConfig.MACAddress = "96:00:02:68:7d:2d";
-    networkConfig = {
-      DHCP = "ipv4";
-      Gateway = "fe80::1";
-    };
-    address = [
-      "2a01:4f8:c17:345f::3/64"
-    ];
-  };
-}
--- a/machines/massicot/secrets.yaml
+++ b/machines/massicot/secrets.yaml
@ -1,40 +0,0 @@
-storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str]
-gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str]
-hedgedoc_env: ENC[AES256_GCM,data:+rjEctM6IJUpn7WcAnBS9TkQi2lCq4wKPxbaOApffH0tFyu56SpECrLpmM749I7th3N+UGb0pLM7+Ywr7fbuuMfUuIWom6Y+CKYw4yMlgjzTaaNqBmstvMxLaPnmA01G9ie1rQ==,iv:YBIyQQ6xiUyxSnR5epE5hV9OqETLKC5CFTEaRJdErGU=,tag:77kHYQ2i2APVyadhMhmvWA==,type:str]
-grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str]
-miniflux:
-    oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str]
-forgejo:
-    env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str]
-restic:
-    repo_url: ENC[AES256_GCM,data:GMHbrjgwajnYSiqtoYaKiFT/aDWDwlzEkvMLPzYf7C9PvLr7T4zeWyAA9//8huldyxO3+nk6O9lR9ORZKZfb8/MYB7nRB03sZQ==,iv:6uBhsksOGDjoc13U2xWLz7I+0fzGRhnw0nStACqlnug=,tag:uhH28NYq+ly1bmCV/cpxkQ==,type:str]
-    repo_password: ENC[AES256_GCM,data:jRHNgOk5ChWdqMKsd/V4Xg==,iv:wrgF5pau/RylG1nmJYmvrZ02o67qkkT5PrZAQlXb6Qo=,tag:X0WVpMqi8xeoATss/sSPMA==,type:str]
-sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age:
-        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aGRvUUtjcDU2bnhaNDJD
-            K3c5TnFJeHQzM2VpeHphR2dGeS9NYzcyYjJnCnNrQ3dxL1hqR2MyQXhldUZ1VEJp
-            N25nVHZ1QjRydW9hTWE5d0x2M2pPNkkKLS0tIFpiRW8rZ1Q1R1RCZGN1ZGs3ek45
-            UENaRjJPWFJqUlpzd3dHSC9pdnZ6STQKQaaY28FYUk3O9TTkX9LQTzlrqZVojgxY
-            M+N6LApfdoioQCmXduDbj18i0eUbECTBXR/uEFEIHbn6AJVD/vx7iw==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRY0lIeE9tWDA3Q21IWk1E
-            YnlaQUJybFB2bmFpbG1UZ0UyNG16WkRkZlNVCmUySHVBcXpWekpVN3R5dGs5ODY1
-            V1ZlUk4zRSs1NkVjY3JSMVVQSXJ1OEkKLS0tIFMzeUNaYVpoNnV3TE1oamEwTEo2
-            dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
-            V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
-            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-28T03:57:35Z"
-    mac: ENC[AES256_GCM,data:xjZrlwfWLtZNYfH+KiE2ICt9Jo4nx/LKaEYi/ECN/Od+ZTjety0V6RJ/RfmI6q3K1WMj0sAGc56hCZ0iOn25L8wK6dc14hZVoSwwbIiQ7hTQE5LcK+NbXNmy3r/YC855DHG9kE08eYGHdNcBbckZg3HhkHQ9UYS/Ox/QFFuBa5Q=,iv:N3AW+sr9ET3c/ArXr176haRewYFsfgsNn+hkC0MDJwA=,tag:SCikn+F8btuSBswV+oCdXg==,type:str]
-    pgp: []
-    unencrypted_suffix: _unencrypted
-    version: 3.9.1
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@ -1,102 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  kanidm_listen_port = 5324;
-in
-{
-  imports = [
-    ./kanidm-provision.nix
-  ];
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-    2222
-    8448
-  ];
-  networking.firewall.allowedUDPPorts = [
-    80
-    443
-    8448
-  ];
-
-  custom.monitoring = {
-    promtail.enable = true;
-  };
-
-  custom.prometheus.exporters = {
-    enable = true;
-    blackbox = {
-      enable = true;
-    };
-    node = {
-      enable = true;
-    };
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    certs."auth.xinyang.life" = {
-      email = "lixinyang411@gmail.com";
-      listenHTTP = "127.0.0.1:1360";
-      group = "kanidm";
-    };
-  };
-
-  services.kanidm = {
-    package = pkgs.kanidm.withSecretProvisioning;
-    enableServer = true;
-    serverSettings = {
-      domain = "auth.xinyang.life";
-      origin = "https://auth.xinyang.life";
-      bindaddress = "[::]:${toString kanidm_listen_port}";
-      tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem'';
-      tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
-      online_backup.versions = 7;
-      # db_path = "/var/lib/kanidm/kanidm.db";
-    };
-  };
-
-  users.users.conduit = {
-    isSystemUser = true;
-    group = "conduit";
-  };
-  users.groups.conduit = { };
-
-  services.gotosocial = {
-    enable = true;
-    settings = {
-      log-level = "debug";
-      host = "xinyang.life";
-      letsencrypt-enabled = false;
-      bind-address = "localhost";
-      instance-expose-public-timeline = true;
-      oidc-enabled = true;
-      oidc-idp-name = "Kanidm";
-      oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts";
-      oidc-client-id = "gts";
-      oidc-link-existing = true;
-      storage-local-base-path = "/mnt/storage/gotosocial/storage";
-    };
-    environmentFile = config.sops.secrets.gts_env.path;
-  };
-
-  services.caddy = {
-    enable = true;
-    virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
-      reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
-    '';
-    virtualHosts."https://auth.xinyang.life".extraConfig = ''
-      reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
-          header_up Host {upstream_hostport}
-          header_down Access-Control-Allow-Origin "*"
-          transport http {
-              tls_server_name ${config.services.kanidm.serverSettings.domain}
-          }
-      }
-    '';
-  };
-}
--- a/machines/massicot/services/restic.nix
+++ b/machines/massicot/services/restic.nix
@ -1,42 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  sqliteBackup = fromPath: toPath: file: ''
-    mkdir -p ${toPath}
-    ${lib.getExe pkgs.sqlite} ${fromPath} ".backup '${toPath}/${file}'"
-  '';
-in
-{
-  sops.secrets = {
-    "restic/repo_url" = {
-      sopsFile = ../secrets.yaml;
-    };
-    "restic/repo_password" = {
-      sopsFile = ../secrets.yaml;
-    };
-  };
-
-  custom.restic = {
-    enable = true;
-    paths = [
-      "/backup"
-      "/mnt/storage"
-    ];
-    backupPrepareCommand = [
-      (sqliteBackup "/var/lib/hedgedoc/db.sqlite" "/backup/hedgedoc" "db.sqlite")
-      (sqliteBackup "/var/lib/bitwarden_rs/db.sqlite3" "/backup/bitwarden_rs" "db.sqlite3")
-      (sqliteBackup "/var/lib/gotosocial/database.sqlite" "/backup/gotosocial" "database.sqlite")
-      (sqliteBackup "/var/lib/kanidm/kanidm.db" "/backup/kanidm" "kanidm.db")
-    ];
-  };
-
-  services.restic.backups.${config.networking.hostName} = {
-    extraBackupArgs = [
-      "--limit-upload=1024"
-    ];
-  };
-}
--- a/machines/minimal/default.nix
+++ b/machines/minimal/default.nix
@ -1,25 +0,0 @@
-{
-  lib,
-  ...
-}:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  boot.initrd.availableKernelModules =
-    [
-    ];
-
-  swapDevices = [ ];
-
-  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
-  # (the default) this is the recommended approach. When using systemd-networkd it's
-  # still possible to use this option, but it's recommended to use it in conjunction
-  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}
--- a/machines/osmium/default.nix
+++ b/machines/osmium/default.nix
@ -53,6 +53,7 @@
    commonSettings = {
      nix.enable = true;
      auth.enable = true;
+      network.localdns.enable = true;
    };

    documentation.enable = false;
@ -69,7 +70,7 @@
      neovim
      jq
      iptables
-      ebtables
+      nftables
      tcpdump
      busybox
      ethtool
@ -88,24 +89,56 @@

    systemd.network = {
      enable = true;
-      networks."lan" = {
-        matchConfig.Name = "enu1";
-        networkConfig.DHCP = "no";
-        linkConfig.RequiredForOnline = "no";
-      };
      networks."wan" = {
        matchConfig.Name = "end0";
        networkConfig.DHCP = "yes";
-        linkConfig.RequiredForOnline = "yes";
+        linkConfig.RequiredForOnline = false;
+      };
+      networks."lan" = {
+        matchConfig.Name = "enu1";
+        networkConfig = {
+          DHCP = "no";
+          DHCPServer = "yes";
+          Address = "10.1.1.1/24";
+        };
+        dhcpServerConfig = {
+          ServerAddress = "10.1.1.1/24";
+          UplinkInterface = "end0";
+          EmitDNS = "yes";
+          DNS = [ "192.168.1.1" ];
+        };
+        linkConfig.RequiredForOnline = false;
      };
    };

-    services.dae = {
+    networking.firewall.enable = false;
+    networking.nftables = {
      enable = true;
-      configFile = "/var/lib/dae/config.dae";
+      tables = {
+        filter = {
+          family = "inet";
+          content = ''
+            chain forward {
+              iifname { "enu1" } oifname { "end0" } accept comment "Allow trusted LAN to WAN"
+              iifname { "end0" } oifname { "enu1" } ct state { established, related } accept comment "Allow established back to LANs"
+              iifname { "enu1" } oifname { "tailscale0" } accept comment "Allow LAN to Tailscale"
+            }
+          '';
+        };
+
+        nat = {
+          family = "ip";
+          content = ''
+            chain postrouting {
+              type nat hook postrouting priority 100; policy accept;
+              oifname "end0" masquerade
+              oifname "tailscale0" masquerade
+            }
+          '';
+        };
+      };
    };

-    services.tailscale.enable = true;
-
+    services.tailscale.extraSetFlags = [ "--advertise-routes=10.1.1.0/24" ];
  };
 }
--- a/machines/raspite/configuration.nix
+++ b/machines/raspite/configuration.nix
@ -6,11 +6,14 @@
 }:

 {
-  imports = [ ./hass.nix ];
+  imports = [ ./services/hass.nix ];

  commonSettings = {
    nix.enable = true;
    auth.enable = true;
+    comin.enable = true;
+    network.enableProxy = false;
+    serverComponents.enable = true;
  };

  nixpkgs.overlays = [
@ -20,6 +23,8 @@
    })
  ];

+  networking.firewall.allowedTCPPorts = [ 8443 ];
+
  environment.systemPackages = with pkgs; [
    git
    libraspberrypi
@ -34,17 +39,5 @@
    interfaces.eth0.useDHCP = true;
  };

-  # boot.kernelPackages = pkgs.linuxPackages_stable;
-
-  # fileSystems."/".fsType = lib.mkForce "btrfs";
-  boot.supportedFilesystems.zfs = lib.mkForce false;
-
-  services.dae.enable = true;
-  services.dae.configFile = "/var/lib/dae/config.dae";
-
-  services.tailscale = {
-    enable = true;
-    permitCertUid = config.services.caddy.user;
-    openFirewall = true;
-  };
+  time.timeZone = "Asia/Shanghai";
 }
--- a/machines/raspite/hass.nix
+++ b/machines/raspite/hass.nix
@ -1,54 +0,0 @@
-{ config, pkgs, ... }:
-{
-  services.home-assistant = {
-    enable = true;
-    openFirewall = false;
-    config = {
-      default_config = { };
-      http = {
-        server_host = "127.0.0.1";
-        use_x_forwarded_for = true;
-        trusted_proxies = [ "127.0.0.1" ];
-      };
-    };
-    extraPackages =
-      python3Packages: with python3Packages; [
-        # speed up aiohttp
-        isal
-        zlib-ng
-      ];
-  };
-
-  services.esphome = {
-    enable = true;
-    openFirewall = false;
-  };
-
-  users.groups.dialout.members = config.users.groups.wheel.members;
-
-  services.mosquitto = {
-    enable = true;
-  };
-
-  services.zigbee2mqtt = {
-    enable = true;
-    settings = {
-      home-assistant = config.services.home-assistant.enable;
-      permit_join = true;
-      serial = {
-        port = "/dev/ttyUSB0";
-      };
-    };
-  };
-
-  networking.firewall.allowedTCPPorts = [ 8443 ];
-
-  services.caddy = {
-    enable = true;
-    virtualHosts = {
-      "raspite.coho-tet.ts.net".extraConfig = ''
-        reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
-      '';
-    };
-  };
-}
--- a/machines/raspite/services/hass.nix
+++ b/machines/raspite/services/hass.nix
@ -0,0 +1,236 @@
+{ config, pkgs, ... }:
+{
+  services.home-assistant = {
+    enable = true;
+    openFirewall = false;
+    config = {
+      logger = {
+        logs = {
+          homeassistant.helpers.llm = "debug";
+          homeassistant.components.conversation.chat_log = "debug";
+          homeassistant.components.openai_conversation = "debug";
+        };
+      };
+      http = {
+        server_host = "127.0.0.1";
+        use_x_forwarded_for = true;
+        trusted_proxies = [ "127.0.0.1" ];
+      };
+      assist_pipeline = { };
+      backup = { };
+      bluetooth = { };
+      config = { };
+      conversation = { };
+      history = { };
+      recorder = {
+        purge_keep_days = 14;
+      };
+      homeassistant_alerts = { };
+      image_upload = { };
+      logbook = { };
+      media_source = { };
+      mobile_app = { };
+      my = { };
+      ssdp = { };
+      stream = { };
+      sun = { };
+      usb = { };
+      webhook = { };
+      zeroconf = { };
+    };
+    extraPackages =
+      python3Packages: with python3Packages; [
+        # speed up aiohttp
+        isal
+        zlib-ng
+      ];
+    extraComponents = [
+      "mqtt"
+      "roborock"
+      "openai_conversation"
+    ];
+  };
+
+  systemd.services.home-assistant.environment = {
+    OPENAI_BASE_URL = "https://ark.cn-beijing.volces.com/api/v3";
+  };
+
+  services.esphome = {
+    enable = true;
+    openFirewall = false;
+  };
+
+  users.groups.dialout.members = config.users.groups.wheel.members;
+
+  services.mosquitto = {
+    enable = true;
+  };
+
+  services.zigbee2mqtt = {
+    enable = true;
+    package = pkgs.zigbee2mqtt_2;
+    settings = {
+      home-assistant = config.services.home-assistant.enable;
+      serial = {
+        adapter = "zstack";
+        port = "/dev/ttyUSB0";
+      };
+      frontend = {
+        enabled = true;
+        port = 15313;
+        host = "127.0.0.1";
+      };
+      advanced = {
+        log_level = "debug";
+        availability = {
+          # Periodically check whether devices are online/offline
+          enabled = true;
+        };
+        channel = 11;
+        homeassistant_legacy_entity_attributes = false;
+        homeassistant_legacy_triggers = false;
+        legacy_api = false;
+        legacy_availability_payload = false;
+      };
+      device_options = {
+        legacy = false;
+      };
+      devices = {
+        "0x000d6f001673c5d4" = {
+          friendly_name = "小次卧开关";
+        };
+        "0x000d6f001673c1df" = {
+          friendly_name = "衣帽间开关";
+        };
+        "0x000d6f0014cbc2c6" = {
+          friendly_name = "主卧床头开关";
+        };
+        "0x8cf681fffe0a5e38" = {
+          friendly_name = "玄关开关";
+          description = "1: 玄关灯 2: 书房灯";
+        };
+        "0x8cf681fffe0d9f1c" = {
+          friendly_name = "客厅开关1";
+          description = "1: 轨道灯东 2: 轨道灯西";
+        };
+        "0x000d6f00167839ff" = {
+          friendly_name = "客厅开关2";
+          description = "1: 客厅射灯北 2: 客厅射灯南";
+        };
+        "0x8cf681fffe0db266" = {
+          friendly_name = "客厅开关3";
+          description = "过道射灯";
+        };
+        "0x8cf681fffe0d9ccb" = {
+          friendly_name = "客厅开关4";
+          description = "1.厨房射灯";
+        };
+        "0x000d6f001673c512" = {
+          friendly_name = "小过道开关";
+        };
+        "0xa4c13815e2f92d74" = {
+          friendly_name = "客厅格栅灯";
+          transition = 1;
+        };
+        "0x540f57fffe54ced3" = {
+          friendly_name = "书房灯西南";
+          transition = 1;
+        };
+        "0x540f57fffe54c8d4" = {
+          friendly_name = "书房灯东北";
+          transition = 1;
+        };
+        "0x540f57fffe54c82b" = {
+          friendly_name = "书房灯西北";
+          transition = 1;
+        };
+        "0x540f57fffe5210bc" = {
+          friendly_name = "书房灯东南";
+          transition = 1;
+        };
+        "0x540f57fffe54c851" = {
+          friendly_name = "鞋柜灯";
+          transition = 1;
+        };
+        "0x540f57fffe54ce63" = {
+          friendly_name = "入户灯";
+          transition = 1;
+        };
+        "0x540f57fffe54c8ce" = {
+          friendly_name = "影壁灯";
+          transition = 1;
+        };
+        "0xa4c138693a2afad7" = {
+          friendly_name = "次卧泛光灯";
+          transition = 1;
+        };
+        "0x540f57fffe54c826" = {
+          friendly_name = "厨房水池灯";
+          transition = 1;
+        };
+        "0x540f57fffe521114" = {
+          friendly_name = "厨房灯";
+          transition = 1;
+        };
+        "0x540f57fffe54c86b" = {
+          friendly_name = "过道灯西";
+          transition = 1;
+        };
+        "0x540f57fffe54c82e" = {
+          friendly_name = "过道灯东";
+          transition = 1;
+        };
+        "0x540f57fffe5210e3" = {
+          friendly_name = "客卫洗手池射灯";
+          transition = 1;
+        };
+        "0xfc4d6afffe6eb9e3" = {
+          friendly_name = "客卫镜前灯";
+        };
+        "0x540f57fffe5210cf" = {
+          friendly_name = "客厅射灯北1";
+          transition = 1;
+        };
+        "0x540f57fffe54c8bb" = {
+          friendly_name = "客厅射灯北2";
+          transition = 1;
+        };
+        "0x540f57fffe5210db" = {
+          friendly_name = "客厅射灯北3";
+          transition = 1;
+        };
+        "0x540f57fffe54cec5" = {
+          friendly_name = "客厅射灯南1";
+          transition = 1;
+        };
+        "0x540f57fffe520d1d" = {
+          friendly_name = "客厅射灯南2";
+          transition = 1;
+        };
+        "0x540f57fffe54c966" = {
+          friendly_name = "客厅射灯南3";
+          transition = 1;
+        };
+        "0x540f57fffe520ceb" = {
+          friendly_name = "小次卧射灯北";
+          transition = 1;
+        };
+        "0x540f57fffe5210cd" = {
+          friendly_name = "小次卧射灯南";
+          transition = 1;
+        };
+      };
+    };
+  };
+
+  services.caddy = {
+    virtualHosts = {
+      "raspite.coho-tet.ts.net".extraConfig = ''
+        reverse_proxy ${config.services.home-assistant.config.http.server_host}:${toString config.services.home-assistant.config.http.server_port}
+      '';
+      "https://raspite.coho-tet.ts.net:8080".extraConfig = ''
+        reverse_proxy ${config.services.zigbee2mqtt.settings.frontend.host}:${toString config.services.zigbee2mqtt.settings.frontend.port}
+      '';
+    };
+  };
+}
--- a/machines/secrets.yaml
+++ b/machines/secrets.yaml
@ -1,95 +1,103 @@
 prometheus:
-    metrics_username: ENC[AES256_GCM,data:/CQfOA==,iv:BjhB+uLfjmYHdgpc/+tDJXJ8C1EK9kngQWbo4NleOmE=,tag:JCdqyqGLRh09T25vmufiZw==,type:str]
-    metrics_password: ENC[AES256_GCM,data:q/xMPuNtlcUFewMdVu6w2Q==,iv:xLohdb5tdxevYFckZoacjSJp2rZ53QKLxK6u3mc3mDw=,tag:B4LrObH1DsnnD5CcuOPOyg==,type:str]
+    metrics_username: ENC[AES256_GCM,data:7kcwPg==,iv:BjhB+uLfjmYHdgpc/+tDJXJ8C1EK9kngQWbo4NleOmE=,tag:wGLoVcsVxgFjorIMsV4mjw==,type:str]
+    metrics_password: ENC[AES256_GCM,data:qGbdk5tRmBw1rYHkmid87w==,iv:xLohdb5tdxevYFckZoacjSJp2rZ53QKLxK6u3mc3mDw=,tag:+cVF89YF35hA+fPvEQNgHA==,type:str]
+dae:
+    sub: ENC[AES256_GCM,data:wCv8je47gBa2bb2aWCbUYHIuxGxkXUfJUvogwviYUNJJZJCdL5Q2qJX+tXOL4JRkzicRzFfiPEa3rcYIfoB6DC7caDPevpepHtTENzI3YKppiz0KIXedUWr+,iv:iMhxWb0IR+3jOP2+7GmQTe0Ia1yhycji4hcTTMK57GI=,tag:e8X4PTiY/60W6XbFLOmSBQ==,type:str]
+tailscale:
+    authkey: ENC[AES256_GCM,data:GKfhg4Co1us4UQ6Jn3KT85OrIIVDd8aJmv8hmhtLZnAM4McxPmpVZ1tnYu7GIfKdqgCQqEl+lgS0xlV+qA==,iv:qugnzLpCZqHyRnJaP0tS2y5R5i0lrhm9PnIuG3kiGqE=,tag:KV/fcG4rceG4AHCzFEoksg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5SjAzOEozUzh1bzVvaHgr
-            T2xsVUszTHVSdWIyM3B5TFhtUEFMeVZlYzNrCk5IOWFNbTErbTVkQnNlVllMZWlV
-            Q2lHZXRIdzBiRFRSZnNUVWd2NXVXVGcKLS0tIERhcjh3VVlqSGxHUHpnc1JzVksv
-            VXpQVVVCUC9xR3crWm9rTk13LzVhK1EKwiuvwx3ZhcDE+9w7/dR4PrZSSoJMvklT
-            m7I32dMRk0o9zcl5KYU5L9Hwb+z+EBE34raoGKBF5K4aQcbZQUX3Cw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOdjRiWCtvUWNSTVJlNmh5
+            RDIzMW5rZmc4ZW9DbWs1cnVWbG16WDJhTkMwCkk5MENTTUJENDFwcFJ3K2Y3cW1Z
+            ZFhzNSs1ZHRtd25za3pJUFJoYTU0WGcKLS0tIHVjSmZiTFIxTmdOcFVKTVdMOXg5
+            bjdhUFNjWlhFcitUaUZpOURzY1MvdlUKl6tM+siqmAN25lyobnPymIhniJkylZcy
+            yWw/iEj6l7dNrwCr5Ofb6llTPMIJeA7Y0wKPhp2ott13hBUUSeBDRg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1ytwfqfeez3dqtazyjltn7mznccwx3ua8djhned7n8mxqhw4p6e5s97skfa
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5R1ZIRlN2b3M2OUQ0T2cw
-            eE5DTm9KY1NUY1p5eDhLNG4xMDVkVjRyWDNRClp3MTRWeGJMYTczcC9YQTNZdkxx
-            ejJ3QnhjcUcyUldUNEVqVUh6Z2grd00KLS0tIDVvbDZWbmZPZVhDNHM1K1kzaE95
-            aHJqSU16dlJiRGl0VWNMVXVYMmhPb2MKMboq9ShGIJMFVENgLPlQdwdtTOjVb0CC
-            4ttM3xWnYkf8416a0OYFrda5l1kfJJzQakbk/tbGcTu1yTcd+6lOtA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbHIwSmlYQWdDV20rQjdI
+            OVVNUmcwcFZaZzlWa1QxaERoV0oydzZHR2pZCjV4K2llR1lCNGZzRWVidExyTW1i
+            RTlBZzF1UHFFT0JzT3hnK28zeWN2UlEKLS0tIFFQVUJUVk5HcTRSQXczbDlsRTli
+            R3QrSVNXbnM3VjVvMHRvNGVTMFBPam8K1rJaII3N4xN8ArmEzSt5boqFrcKBbYWD
+            T9sBOVitKudgGRbXirPdUbWHq//gP6bkpwGrh5cJA30jDXaTuEq31g==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age17r3fxfmt6hgwe984w4lds9u0cnkf5ttq8hnqt800ayfmx7t8t5gqjddyml
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVby8wYS9pa0szTlVUS3FI
-            VWhjaCtyUzNLbkw2VXRlWkVMZlRkeXJMZGlRCnBTWklnZ0Uzd2lTMGt1M2wxZ0px
-            NFl2RW5hSUZVdHI0aVFRMHJtMFQ3ODAKLS0tIFlYOHVRYVFGbkcvUWRmQitQQnI5
-            bG5vemMvcWdpOEtxNGRpS0doQmtuUFkK8Hxl//kOtbEw3jf96ZZ4G1Yb94f4Jeb4
-            TfPs7O/ESJY8ovNsoXRQEt99vOR5D1wBzyZBY9E3f2ZzY/uBmup0cw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4VGdpcHE0MGk2VU1hcDQ1
+            SVB0TUY1dkNQZGRtSElPajVCUktVbGZuTHpjCnI4NGl0dEdXdXhxZmN1SHkyL25U
+            RGJiT1I4dHJscjZvdDdDZkVzdnZ1M0UKLS0tIG9lUGlwbmQvZ05IN1NMMFVQVWls
+            WlBIQVVPVWpTdm5pQ3NCSWIxazRKUHMK8SmC1itCVyr8KXBSLVVpiHwt7Hl9Vps3
+            sc8cqv/Ou0LWz5MlqCGtiO5zKIQABCIAhmMMw9UDrqkYHyLCOhaGlw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1jle2auermhswqtehww9gqada8car5aczrx43ztzqf9wtcld0sfmqzaecta
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPSmRYMkNIdERJZVBxV1p1
-            emlqOTBpN3l2WXkzNjRRcFI5NUZDZnQ1WXdnCkRVbm8xais5aGVCTmtSTGxaTXlT
-            L2ZWQ0p5WFZNRWl5SWVkRUYwc2R3b1UKLS0tIEZEck4yMmJUQWVvNHRJQnpCQTBo
-            cDJsaG83MTdXWVd2NUpLczhjWTBBZVUK5BxBIYVqkqVLw9LTbnJ8SQWN2i4USdI8
-            8m/hZFXTJ4GI0f795DEmbcZq9xET14aQqta0wSASqwP/5Ld1mo0a0w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxZE05NGI3WlpNWXlGdlkx
+            OW5QK0NzbTl0RmJjQythRWdZdUJkczhLZ1NjCjFTVng5L1dnYTBYZ3R2RHhiVGxC
+            MHZ1Yi9IRUJySEZBazJ2ZnhYeElWWXcKLS0tIEhVV2lUSzZZbitKd1NaS2J6UzE2
+            QlFpVGV4YkJUbFA4Y2RVQm9JeVJMK0EKDwXNkNgAmsNMYvSpHVmSn098+Eurr3jp
+            KHtqLGRGq2EHK2Edo4gktXS39KhpYhhKTEMNiAJ8Tx2BG+edGKAJyg==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12ng08vjx5jde5ncqutwkd5vm4ygfwy33mzhzwe0lkxzglulgpqusc89r96
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwSkhjRTdBWklZUEpUanM0
-            Wjl4b2c3K0g0ZUxxMlRrUFhhZzhNRXhPVnpvCmpNWVBNTXNYczV3aWhCd05FOGJ0
-            YlNobFhWdStGbDRZV2NlUWV6ZFRVNEkKLS0tIGd1RUR4K21GOEQ0aWtqRi9RREpE
-            RXBXcXFYUDVXVzN4Q25zSklFU21wbFkKQuTHkgFC5HRPO7/PuVhJzbbHOTPaFXvN
-            +Y31AK3OAVdUETMEuJ2mk50Bi5BiiUeOnnv1bZ6O+iX0o20ysUseTg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLZGs5SnE5R0N5ZkpKRXky
+            c3JSK3F6NzZJbHI3WWNZbk1nY0UwUW4vNUNnCmV5eTJVRTdJc25VaXVJY05GeUFo
+            UUFxNDM1M3pXaUVVekJJZ2tNV1UxNEUKLS0tIDdEN1BFWDF4cXRoS01VSHhPRjlu
+            ZjZCc2krMkxOWDkwMWM0WC9qQWZPNEUKt9s9SNkkoVOuGKW9AkGB6XYf7a90EeZD
+            b0q/P/mKVGYghwXjEQ89ipS+rF3BMlWXRwd6T8mb6NRLmseyt0dqyw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1v5h946jfke6ae8pcgz52mhj26cacqcpl9dmmrrkf37x55rnq2v3szqctvv
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnc3NOZFRYT1VnaVZSaTRi
-            WnluSEk4d1U5TWx2REZRZ3VCRVp2ZzlKY0NvCjNlUnIwdWVqSnlQOWp1dlJ5THlW
-            c2xTNHhnaE94a2ZTeXJjQTVxeGRLTmsKLS0tIFV4c2NZK1ZnL2xtUlVvSksxNi9o
-            L3dodkJXVjZrekVldTVsRFRxSFlrTmMKiokjgIRIsI8D2aFP/Qem4iGzC4yr5lm2
-            ZwggC/UfD56ysTEqrVaDnR7f5fSqZLWdstPJn7I/vr5CwKRMbMPYSA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaGNVc1BvbnZNbFlFL2pL
+            L3JOczFGNnlQVnpuMkVJZlRVU2hhcCtKNGhJCk9ZUFlYOERXWWlBMG4yVENUbk1P
+            UWJnNWpBeDVjRG1GdDBreWMzUVIzaHcKLS0tIFZFUmE2NE5wTXBIZWI4cjlFYk12
+            TERkUkROTWpKTUF3ZUk2TFVRaVFTNVkKHaBMq9jHPM5e+4naO6aC3s6NMspe/v6e
+            sCZti+gw1pa3Sdlc9qZD6ZWN4G0UDJnRSxPNIxO7n3wMPWkMVQiztw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1p2dlc8gfgyrvtta6mty2pezjycn244gmvh456qd3wvkfwesp253qnwyta9
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpN0llOTBJU1pNNVFxVWxt
-            aFdKdStKL1ZlZ0p6WFRQbHpGNnpmdlJXdG1FCkx5eDhZWWJvQ2xSWEJqWnZ6NmNt
-            Y0MzNDg5QzVSbEZteW1LNlFyRFg5Q0EKLS0tIDBrT0dEZlBoTExYcGRNZjZ5Znpz
-            cnE4YWRTMmRsTENhOTl5R2dYSzQwazAKvnTvZz842Mg5AVlIoYHI2BG+0/hO5zIv
-            jRVJri98fgGterXADTPmeoY3p+fFQggTPhs/5s5GSQxd5aiX8vvvrA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYUHJzUzhwbHhYMUNkbVRV
+            MkdBd3c3cC9ZQ0x1ZHlzUUo4MHA5TkIzQmdvCkk0S3VMRkllbk9VS1R6d1BCTENr
+            K29XQXpYSlV2YWJLbGdsbFM0UGZLZjQKLS0tIGRNR3U4MDFJektXMkg0R3I1Rkpt
+            M1A2VlBmZ1V0UXltNW5zNTBqRDJKMVUKVOwFinUC3scboLI2qrYUAxLecMmz5V4w
+            A8maHLb8SlDea0KM0NJjoYlBXgVG2OnQ0HaUJzGkQTWwCPUk/o3MGA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age18u4mqrhqkrpcytxfxfex6aeap04u38emhy6u4wrp5k62sz2vae4qm5jj7s
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPQWljdGg4VTlDdGhoblpk
-            LytxK2FnQVI1dzB2bnFaWUtoUVNGS3lpU3prCnRwUTNnZVVXTnZ6eCtScTk5YzI3
-            TGM2MmNhaHQ3NXAzMk0rcnJoTlp5STQKLS0tIEp2U3YvUUhXTkt3VFczY3J1LzMv
-            ZzM0VHpqamRIZVROS2lQdXFhQTNBekEKEySldC+VvZvPY398ZVkB5s73bT3QbuLh
-            IqTv+wbkbjlvZJUavVyycY5SwMXkSX3ge9W/64mt/RDs88gSXFS+Sw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDNlZ6U3BMeE1NV2Q3UHRw
+            YzVpYVVVSURGTzI3VEY4V09iWDh3ZU04dFRjCkZaWFRhV0tJd3hZYnFFZmVYenVp
+            QTNlZ1RYazRWeVI2R0VYTE9EbWNFVEkKLS0tIDJQU1BDYW80ZDBid2dYWGNEeXlZ
+            ZU03cFpZQjlVOUdzT3FHTiswZmk1ajQKxRqo2ZZKIDTHIjOM0r/ZorgRq4Gm0UsQ
+            wFojWJQC52DTwF7oAKojb+93of5qDBVnXlN5YM12T1XnifVHk6Kc5A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1fw2sqaa5s9c8ml6ncsexkj8ar4288387ju92ytjys4awf9aw6smqqz94dh
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4bGppem15NlVod2hCRkM5
-            MzY1aUZOdEVzRzdEYTRNakdMQWJlRkk0eEZzClRLSnRrQUoreU5MVG40KzRKSGcw
-            bUU4ZnpLU0VtOWxXVllrSW5lN0NWb0kKLS0tIE1iemRlVVpieEhxRnlIb2dFUHZr
-            am04NVRtU2N6SThYZWdXVE5RZ1B2aE0KVcHvB5k2Gcu/St0P8WPFzlCtuZthZTKo
-            hwVc0lC6Xxt25hriaUFinwnyvcjxrLCx0Nq7f9Zn16nJcza5kev1nQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDM3FTdXdCM3Z3b2NLR1Bw
+            OC9HdDlraktMMUxRM3ovSXpScnhEM2U2a1I0CnkwSVZjSVI1UXBUTWJIVFlXRG9t
+            K1ZhbUtWYzFxSUU2dmMvbkFKVHRLYTAKLS0tIGloNC9JWG9pSTZmNjI0TitSUWQr
+            NzYyU1UrbS9Fc1ZicTR2NXNIYmpsdXMK5CEi9eLOMyZrs32rEEMAl65LFqN75Iow
+            bApHV33LVxIYnbBYdPnHKGWj7U5VOPO3krq6q4pW4PViMotUx4BWow==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-30T06:31:42Z"
-    mac: ENC[AES256_GCM,data:xh8x9IrQ01ZzdcCTIfBrifIGduMYVmSSP52BkTyr/bx7AgQAz2WeA7LFrccxIayCGHrQKfMQDLUKJ/EBamG/6p8AX6QqZBTfqFD688ZhmRfxgpj7fYR9jPYnhb/9XHI9R2jTaJWwrorXvu3pa+Gy/hWB3Kb+WZc3fslmIuKuLH0=,iv:GDrHSFZxPbpACdusVDPHXEjeEusYfk53N/KGHtdvrYo=,tag:ap38sCSTZVDQ0ZazXM3vlg==,type:str]
-    pgp: []
+        - recipient: age1x79t4crvt8qj34vn052s0kaj80z87np83adqra953yjpydrzkqqspt6zcj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDK01iTkVEU3QvbUY0UUR1
+            VGQ2djZENnY3TU0wQ3BZa1JhZlduUWwySXlzCjhqM1MrWDV3bW1lUThHU2RXZE9P
+            VDBZZlNKZVBIdmE1RkVRbTZ2MTM5a2sKLS0tIHdOV004VEtWZ3ZhSXBkejlDSVp0
+            MHJubDlRVW40TDVJNnNqQktKcGVVYWcK1nCRXYjyLpNdj2Mnjgop5R6DSpRUSxDT
+            VstIwZiQgACPKcP7H2dFSPNDaaAH1YqZzqr7ILLV6jYRApZFte/SRw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-05-09T01:56:54Z"
+    mac: ENC[AES256_GCM,data:wZXKzRD+2I0mQoSOu3Xj8uzsSV7rK7wg+GjlzFqbP3qWd5DWSa1wmHuC9xBe3GRNps5L7vopGwngnFXbXu6tlsYuWUhSV/r7lh/wnrXKNlrt5qkWCpL3nXoYqkby+QzFG5ykCYOTsiMg31JYcbobO0kdNNjK0thKqLdFS7YBZig=,iv:O0Rccf08B27bfikTjQ2h+x6rbMUSqUSOSB3jW3Y4MJA=,tag:jBvzVKZgilzmUKQ6M+psAA==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.10.2
--- a/machines/thorite/default.nix
+++ b/machines/thorite/default.nix
@ -26,17 +26,10 @@
      address = [ "23.165.200.99/24" ];
    };

-    networking.firewall.allowedTCPPorts = [
-      80
-      443
-    ];
-
-    services.tailscale.enable = true;
-
-    services.caddy.enable = true;
-
    commonSettings = {
      auth.enable = true;
+      comin.enable = true;
+      serverComponents.enable = true;
    };

    nixpkgs.system = "x86_64-linux";
--- a/machines/thorite/monitoring.nix
+++ b/machines/thorite/monitoring.nix
@ -12,6 +12,8 @@ let
    hedgedocDomain
    grafanaUrl
    ntfyUrl
+    internalDomain
+    transmissionExporterUrl
    ;
  removeHttps = s: lib.removePrefix "https://" s;
 in
@ -58,7 +60,22 @@ in
        node.enable = true;
      };
      ruleModules =
-        (mkCaddyRules [ { host = "thorite"; } ])
+        [
+          {
+            name = "comin_rules";
+            rules = [
+              {
+                alert = "CominBuildFailed";
+                expr = "comin_build_info != 1";
+                for = "1m";
+                labels = {
+                  severity = "critical";
+                };
+              }
+            ];
+          }
+        ]
+        ++ (mkCaddyRules [ { host = "thorite"; } ])
        ++ (mkNodeRules [ { host = "thorite"; } ])
        ++ (mkBlackboxRules [ { host = "thorite"; } ]);
    };
@ -81,7 +98,24 @@ in
        ];
        passwordFile = config.sops.secrets."prometheus/metrics_password".path;
      in
-      (mkScrapes [
+      [
+        {
+          job_name = "comin";
+          scheme = "http";
+          static_configs = [
+            {
+              targets = map (host: "${host}.${internalDomain}:4243") [
+                "weilite"
+                "thorite"
+                "la-00"
+                "hk-00"
+                "fra-00"
+              ];
+            }
+          ];
+        }
+      ]
+      ++ (mkScrapes [
        {
          name = "immich";
          scheme = "http";
@ -118,9 +152,27 @@ in
        {
          name = "loki";
          scheme = "http";
-          address = "thorite.coho-tet.ts.net";
+          address = "thorite.${internalDomain}";
          port = 3100;
        }
+        {
+          name = "transmission";
+          scheme = "http";
+          address = "weilite.${internalDomain}";
+          port = 19091;
+        }
+        {
+          name = "sonarr";
+          scheme = "http";
+          address = "weilite.${internalDomain}";
+          port = 21560;
+        }
+        {
+          name = "radarr";
+          scheme = "http";
+          address = "weilite.${internalDomain}";
+          port = 21561;
+        }
      ])
      ++ (mkCaddyScrapes [
        { address = "thorite.coho-tet.ts.net"; }
@ -129,7 +181,6 @@ in
      ])
      ++ (mkNodeScrapes [
        { address = "thorite.coho-tet.ts.net"; }
-        { address = "massicot.coho-tet.ts.net"; }
        { address = "weilite.coho-tet.ts.net"; }
        { address = "biotite.coho-tet.ts.net"; }
        { address = "hk-00.coho-tet.ts.net"; }
@ -139,11 +190,7 @@ in
      ++ (mkBlackboxScrapes [
        {
          hostAddress = "thorite.coho-tet.ts.net";
-          targetAddresses = probeList ++ [ "49.13.13.122:443" ];
-        }
-        {
-          hostAddress = "massicot.coho-tet.ts.net";
-          targetAddresses = probeList ++ [ "45.142.178.32:443" ];
+          targetAddresses = probeList;
        }
        {
          hostAddress = "weilite.coho-tet.ts.net";
--- a/machines/weilite/default.nix
+++ b/machines/weilite/default.nix
@ -1,5 +1,4 @@
 {
-  config,
  pkgs,
  lib,
  modulesPath,
@ -13,12 +12,27 @@
  ];

  config = {
-    networking.hostName = "weilite";
+    networking = {
+      hostName = "weilite";
+      useNetworkd = true;
+    };
+    systemd.network = {
+      enable = true;
+      networks = {
+        "10-wan" = {
+          matchConfig.MACAddress = "52:54:00:db:23:d0";
+          networkConfig.DHCP = "ipv4";
+        };
+      };
+    };
    commonSettings = {
      auth.enable = true;
      nix = {
        enable = true;
      };
+      comin.enable = true;
+      network.localdns.enable = true;
+      serverComponents.enable = true;
    };

    boot = {
@ -33,25 +47,25 @@
        "usb_storage"
        "sd_mod"
      ];
-      kernelModules = [ "kvm-intel" ];
+      kernelModules = [
+        "kvm-intel"
+      ];
+      kernelPackages = pkgs.linuxPackages_6_12;
    };

    nixpkgs.config.allowUnfree = true;
+    nixpkgs.hostPlatform = "x86_64-linux";

-    environment.systemPackages = [ pkgs.virtiofsd ];
+    environment.systemPackages = [
+      pkgs.virtiofsd
+      pkgs.intel-gpu-tools
+      pkgs.pciutils
+    ];

    sops = {
      defaultSopsFile = ./secrets.yaml;
      age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
      secrets = {
-        cloudflare_dns_token = {
-          owner = "caddy";
-          mode = "400";
-        };
-        dnspod_dns_token = {
-          owner = "caddy";
-          mode = "400";
-        };
        "restic/localpass" = {
          owner = "restic";
        };
@ -74,49 +88,50 @@

    systemd.mounts = [
      {
-        what = "immich";
-        where = "/mnt/XinPhotos/immich";
+        what = "nixos";
+        where = "/mnt/nixos";
        type = "virtiofs";
        options = "rw,nodev,nosuid";
-        wantedBy = [ "immich-server.service" ];
      }
      {
        what = "originals";
-        where = "/mnt/XinPhotos/originals";
+        where = "/mnt/photos/xin/originals";
        type = "virtiofs";
        options = "rw,nodev,nosuid";
        wantedBy = [ "immich-server.service" ];
      }
      {
-        what = "restic";
+        what = "/mnt/nixos/ocis";
+        where = "/var/lib/ocis";
+        options = "bind";
+        after = [ "mnt-nixos.mount" ];
+        wantedBy = [ "ocis.service" ];
+      }
+      {
+        what = "/mnt/nixos/restic";
        where = "/var/lib/restic";
-        type = "virtiofs";
-        options = "rw,nodev,nosuid";
+        options = "bind";
+        after = [ "mnt-nixos.mount" ];
        wantedBy = [ "restic-rest-server.service" ];
      }
      {
-        what = "ocis";
-        where = "/var/lib/ocis";
-        type = "virtiofs";
-        options = "rw,nodev,nosuid";
-        wantedBy = [ "ocis.service" ];
+        what = "/mnt/nixos/immich";
+        where = "/var/lib/immich";
+        options = "bind";
+        after = [ "mnt-nixos.mount" ];
+        wantedBy = [ "immich-server.service" ];
      }
    ];

-    services.openssh.ports = [
-      22
-      2222
-    ];
-
-    services.dae = {
+    hardware.graphics = {
      enable = true;
-      configFile = "/var/lib/dae/config.dae";
-    };
-
-    services.tailscale = {
-      enable = true;
-      openFirewall = true;
-      permitCertUid = "caddy";
+      extraPackages = with pkgs; [
+        intel-media-driver
+        intel-vaapi-driver
+        vaapiVdpau
+        intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
+        intel-media-sdk # QSV up to 11th gen
+      ];
    };

    services.tailscale.derper = {
@ -128,44 +143,6 @@
    # tailscale derper module use nginx for reverse proxy
    services.nginx.enable = lib.mkForce false;

-    services.caddy = {
-      enable = true;
-      package = pkgs.caddy.withPlugins {
-        caddyModules = [
-          {
-            repo = "github.com/caddy-dns/cloudflare";
-            version = "89f16b99c18ef49c8bb470a82f895bce01cbaece";
-          }
-          {
-            repo = "github.com/caddy-dns/dnspod";
-            version = "1fd4ce87e919f47db5fa029c31ae74b9737a58af";
-          }
-        ];
-        vendorHash = "sha256-OhOeU2+JiJyIW9WdCYq98OKckXQZ9Fn5zULz0aLsXMI=";
-      };
-      virtualHosts."derper00.namely.icu:8443".extraConfig = ''
-        reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
-      '';
-      virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
-        reverse_proxy 127.0.0.1:${toString config.services.immich.port}
-      '';
-      # API Token must be added in systemd environment file
-      virtualHosts."immich.xinyang.life:8000".extraConfig = ''
-        reverse_proxy 127.0.0.1:${toString config.services.immich.port}
-      '';
-      globalConfig = ''
-        acme_dns dnspod {env.DNSPOD_API_TOKEN}
-      '';
-    };
-
-    networking.firewall.allowedTCPPorts = [ 8000 ];
-
-    systemd.services.caddy = {
-      serviceConfig = {
-        EnvironmentFile = config.sops.secrets.dnspod_dns_token.path;
-      };
-    };
-
    time.timeZone = "Asia/Shanghai";

    fileSystems."/" = {
--- a/machines/weilite/secrets.yaml
+++ b/machines/weilite/secrets.yaml
@ -1,14 +1,22 @@
-cloudflare_dns_token: ENC[AES256_GCM,data:m4euSkxxJmiMk9UPyeni/hwpl1W9A4MM0ssg71eOBsX4fFyG39NJeKbNTddW7omBx3gKJtnrRuDdOj5wpg==,iv:eRVzsGwz8hWC42jM+VeSUWCS9Gi8VGSY8Fyh+En0jEI=,tag:NNE8VeNQ8kp9KyziVokyuQ==,type:str]
-dnspod_dns_token: ENC[AES256_GCM,data:uZfr3g103amywxh3NMU+AkwuYb61svzyavvQ4rxJijIMIbfPvERrVNcyivoOrFWYXHpPWkhZFdU=,iv:mArVAcebW9i+u26GmQmfmJTsFkR4ZRMIisTqjpMYan8=,tag:Zsmv1Wzfi3+PHigjReToHQ==,type:str]
+caddy:
+    cf_dns_token: ENC[AES256_GCM,data:7PvP3oYMZ3dAeWaJNiuvEweUf3psDhyu90FT6cP0/AIOa0E40sdIRQ==,iv:IIYnZ35xAm9JJa14oHJi+ddI0u7Pgc4MfPLnKT4IlPc=,tag:V1PGZpaVzdN2cLpktbvTnA==,type:str]
+    huawei_dns_access_key: ENC[AES256_GCM,data:3y9Sl9RDJlRkgTsctH8O4gRAcAU=,iv:2e03AKVniVYFyHV6KB00I/Y1rHD0Ira6kgly7zDqNT0=,tag:w6j1g329XIOrvshx7Ft7aA==,type:str]
+    huawei_dns_secret_key: ENC[AES256_GCM,data:or4WW7uFvbIoUwh1G63YDQxTFUnkkYrDJG0HEqoKzOSV+8rqy9cHrA==,iv:wB+TT8bh7jhN0ppJ3pqh882cs6RczpOtxKuYuyjRhMY=,tag:GlTSuYeGrGY/3b0g7IbLzw==,type:str]
 immich:
    oauth_client_secret: ENC[AES256_GCM,data:EFs2hPjGMj0idwY3oQVIDTOIWkdwoAoAVjDQE9Z2eAKzUDH3grmYpYE+33V8d/Ux,iv:A9cjwFr/ZqltG62/N8MQ1LhdDbSIVVAqIPVB492zYJw=,tag:VTTtE697BZTVsI32UF53/w==,type:str]
+    auto_stack_apikey: ENC[AES256_GCM,data:pormMdxkevrw1sJrmVtD+jEbfQFTOHeyZRepZt2roftjDYAdbzpppg==,iv:wumPYaTAfU+J0MD6yOFKmxY8eDMzwqVsd3IUXyTfk0A=,tag:54HlWH3iKyWG2Gv9QS/wLA==,type:str]
 restic:
    localpass: ENC[AES256_GCM,data:GIQAmkpDmGu4+sSG5/b5yQ==,iv:dcu6F8NnVjeQzEG2vM3fOV5owI0PWc86ts20UP3vN18=,tag:vsG8x062FG1pH5YNcAajeg==,type:str]
+transmission:
+    rpc-password: ENC[AES256_GCM,data:4dumy0hygGOuwU3ANky3xEKRDRBAJWE=,iv:HVV2J+F8HndHZNsMD2YmkWrJOzk5JIapGd0SuQP8VqU=,tag:xqp5pxh5cYYogA4alrmIfg==,type:str]
+sonarr:
+    api-key: ENC[AES256_GCM,data:/CkApTCLQy8TLHGKSM1saacNi9uQDswAjshRSLJk1hg=,iv:PNX4BZLx7krs12lxgORMSarnt0c/ga8yPtoLSzbQ+sY=,tag:V1pp9OCtX5/5fbwLBMGlOQ==,type:str]
+radarr:
+    api-key: ENC[AES256_GCM,data:AeJArngvgmqnxk2g13QjMa6XS893B+3ZdX2K8OqXRQg=,iv:NrQf3yyqRpHMeWQ3bpPH4fUDdo/x2uB6pQCq0ZrFP5c=,tag:Yj2PSy6zRfe8anW0RGuZAQ==,type:str]
+webdav:
+    photosync:
+        password: ENC[AES256_GCM,data:s+omleBtVALG5bpbTnlzbwBj0oCZX8Dm8IbcUV6COnI=,iv:vwCs3ujmCcE87rl91ZtOEAgSQF1/0t17/7/0UM4x8fE=,tag:ylw76CX9SCylWoJt86rmjg==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
    age:
        - recipient: age1uw059wcwfvd9xuj0hpqzqpeg7qemecspjrsatg37wc7rs2pumfdsgken0c
          enc: |
@ -28,8 +36,7 @@ sops:
            V0thRjU4WGpQRGFpcnoxSjZTZHhTTkUKzNMHh9p7GUY3hL5XZ9S4x20CwaItsXFV
            RKujsFVVBd8Kuq/jyOCBTRCscuHI4LW/wYeZYHFEZFSTK2liAqspgw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-03T05:59:51Z"
-    mac: ENC[AES256_GCM,data:0dLbfkm7fJvH5Mmct0/qHulg2AtDCeeeOgWMXfeGRUaX3GlLDiLga0zW4uNPDuahVecdh6ofvYfBOxFaGUdBCHk9vq5GzrwrzBNhqObWQ3AqVuq5rjqSxEKoFM4Eb5qoqaOefFzT/9qC94NDETTsHhjiEeIgd4fgSr2dazNiFPE=,iv:Ggw0FHzkrhKh5Uzo3seHGwwHsWW/tTAgAl0iIq9PVk4=,tag:rJvUI5/wsLJ01XyKmkRghw==,type:str]
-    pgp: []
+    lastmodified: "2025-05-08T13:07:05Z"
+    mac: ENC[AES256_GCM,data:19bgXUH6rhQLin0RO0F5pgqzNIzHq5x+oSpIscbDimRvUhnvalMX6KSmbVgrHeNHrx4n3MpwI65Z+/6eeiR0Y6O2MOv49580UVKIEEP/yAPd3tbOW28/WsNp7MMhtF1Fx6o/rirV+H4vkvzq9+/z3tHO2MMjh9LeLcFB36b8ZD8=,iv:lU9o59P8BS1Azd0lVRtq8d3yNau54J9attOEiC32E4E=,tag:zUawHckwaXSxc7RWimVPUQ==,type:str]
    unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.10.2
--- a/machines/weilite/services/caddy.nix
+++ b/machines/weilite/services/caddy.nix
@ -0,0 +1,55 @@
+{ config, pkgs, ... }:
+{
+  sops = {
+    secrets = {
+      "caddy/cf_dns_token" = {
+        owner = "caddy";
+        mode = "400";
+      };
+      "caddy/huawei_dns_access_key" = {
+        owner = "caddy";
+        mode = "400";
+      };
+      "caddy/huawei_dns_secret_key" = {
+        owner = "caddy";
+        mode = "400";
+      };
+    };
+    templates."caddy.env".content = ''
+      CF_API_TOKEN=${config.sops.placeholder."caddy/cf_dns_token"}
+      HUAWEICLOUD_ACCESS_KEY=${config.sops.placeholder."caddy/huawei_dns_access_key"}
+      HUAWEICLOUD_SECRET_KEY=${config.sops.placeholder."caddy/huawei_dns_secret_key"}
+    '';
+  };
+
+  services.caddy =
+    let
+      acmeCF = "tls {
+        dns cloudflare {env.CF_API_TOKEN}
+      }";
+      acmeHuawei = "tls {
+        dns huaweicloud  {
+          access_key_id {env.HUAWEICLOUD_ACCESS_KEY}
+          secret_access_key {env.HUAWEICLOUD_SECRET_KEY}
+        }
+      }";
+    in
+    {
+      virtualHosts."derper00.namely.icu:8443".extraConfig = ''
+        ${acmeCF}
+        reverse_proxy 127.0.0.1:${toString config.services.tailscale.derper.port}
+      '';
+      virtualHosts."immich.xiny.li:8443".extraConfig = ''
+        ${acmeCF}
+        reverse_proxy 127.0.0.1:${toString config.services.immich.port}
+      '';
+    };
+
+  networking.firewall.allowedTCPPorts = [ 8443 ];
+
+  systemd.services.caddy = {
+    serviceConfig = {
+      EnvironmentFile = config.sops.templates."caddy.env".path;
+    };
+  };
+}
--- a/machines/weilite/services/default.nix
+++ b/machines/weilite/services/default.nix
@ -1,8 +1,12 @@
 {
  imports = [
+    ./caddy.nix
    ./ocis.nix
    ./restic.nix
    ./media-download.nix
    ./immich.nix
+    ./jellyfin.nix
+    ./transmission.nix
+    ./webdav.nix
  ];
 }
--- a/machines/weilite/services/immich.nix
+++ b/machines/weilite/services/immich.nix
@ -1,13 +1,18 @@
 {
  config,
+  pkgs,
+  lib,
  ...
 }:
 let
+  inherit (config.my-lib.settings) idpUrl;
+
  user = config.systemd.services.immich-server.serviceConfig.User;
+  immichUrl = "immich.xiny.li:8443";
  jsonSettings = {
    oauth = {
      enabled = true;
-      issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
+      issuerUrl = "https://${idpUrl}/oauth2/openid/immich/";
      clientId = "immich";
      clientSecret = config.sops.placeholder."immich/oauth_client_secret";
      scope = "openid email profile";
@ -16,7 +21,21 @@ let
      buttonText = "Login with Kanidm";
      autoLaunch = true;
      mobileOverrideEnabled = true;
-      mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
+      mobileRedirectUri = "https://${immichUrl}/api/oauth/mobile-redirect/";
+    };
+    job = {
+      faceDetection = {
+        concurrency = 3;
+      };
+      backgroundTask = {
+        concurrency = 2;
+      };
+      metadataExtraction = {
+        concurrency = 2;
+      };
+      thumbnailGeneration = {
+        concurrency = 1;
+      };
    };
    passwordLogin = {
      enabled = false;
@ -27,37 +46,123 @@ let
    newVersionCheck = {
      enabled = false;
    };
+    ffmpeg = {
+      accel = "qsv";
+      accelDecode = true;
+    };
+    machineLearning = {
+      enabled = true;
+      urls = [
+        "http://calcite.coho-tet.ts.net:3003"
+        "http://127.0.0.1:3003"
+      ];
+      clip = {
+        enabled = true;
+        modelName = "XLM-Roberta-Large-ViT-H-14__frozen_laion5b_s13b_b90k";
+      };
+      facialRecognition = {
+        maxDistance = 0.35;
+        minFaces = 10;
+      };
+    };
  };
 in
 {
  config = {
-    sops.secrets."immich/oauth_client_secret" = { };
+    sops.secrets = {
+      "immich/oauth_client_secret" = { };
+      "immich/auto_stack_apikey" = { };
+    };

    sops.templates."immich/config.json" = {
      owner = user; # Read when running
      content = builtins.toJSON jsonSettings;
    };

+    sops.templates."immich/auto_stack.env" = {
+      owner = "immich_auto_stack";
+      content = ''
+        API_KEY=${config.sops.placeholder."immich/auto_stack_apikey"}
+      '';
+    };
+
+    systemd.timers.immich-auto-stack = {
+      enable = true;
+      wantedBy = [ "immich-server.service" ];
+      timerConfig = {
+        Unit = "immich-auto-stack.service";
+        OnCalendar = "*-*-* 4:00:00";
+      };
+    };
+
+    systemd.services.immich-auto-stack =
+      let
+        python = pkgs.python3.withPackages (
+          ps: with ps; [
+            requests
+          ]
+        );
+        immich_auto_stack = pkgs.fetchurl {
+          url = "https://gist.githubusercontent.com/xinyangli/39de5979e72d81af6fe9ddb7d1805df4/raw/7798ed8cef7bcd3d06ed005feb0dd01b4b603684/immich_auto_stack.py";
+          hash = "sha256-qE7TRJ+TLFdSJanBiuKP6fgijdE1NqAeSXWSzsfyEO0=";
+        };
+      in
+      {
+        environment = {
+          SKIP_MATCH_MISS = "true";
+          DRY_RUN = "false";
+          API_URL = "http://127.0.0.1:${toString config.services.immich.port}/api";
+          PARENT_PROMOTE = "hdr,edit,export,selects,output";
+        };
+        serviceConfig = {
+          ExecStart = "${lib.getExe python} ${immich_auto_stack}";
+          EnvironmentFile = config.sops.templates."immich/auto_stack.env".path;
+          WorkingDirectory = "%t/immich-auto-stack";
+          RuntimeDirectory = "immich-auto-stack";
+          User = "immich_auto_stack";
+          Group = "immich_auto_stack";
+        };
+      };
+
    systemd.services.immich-server = {
      serviceConfig = {
+        BindReadOnlyPaths = [
+          "/mnt/photos/xin/originals:/mnt/immich/external-library/xin"
+        ];
        Environment = "IMMICH_CONFIG_FILE=${config.sops.templates."immich/config.json".path}";
      };
    };

    services.immich = {
      enable = true;
-      mediaLocation = "/mnt/XinPhotos/immich";
      host = "127.0.0.1";
      port = 3001;
      openFirewall = true;
      machine-learning.enable = true;
+      accelerationDevices = [
+        "/dev/dri/renderD128"
+        "/dev/dri/card0"
+      ];
      environment = {
        IMMICH_MACHINE_LEARNING_ENABLED = "true";
      };
      database.enable = true;
    };

-    # https://github.com/NixOS/nixpkgs/pull/324127/files#r1723763510
+    users.users.immich.extraGroups = [
+      "video"
+      "render"
+      "privimg"
+    ];
+
+    users.groups.privimg = { };
+
+    users.groups.immich_auto_stack = { };
+    users.users.immich_auto_stack = {
+      isSystemUser = true;
+      group = "immich_auto_stack";
+    };
+
    services.immich.redis.host = "/run/redis-immich/redis.sock";
  };
 }
--- a/machines/weilite/services/jellyfin.nix
+++ b/machines/weilite/services/jellyfin.nix
@ -0,0 +1,25 @@
+{ config, pkgs, ... }:
+let
+  cfg = config.services.jellyfin;
+in
+{
+  services.jellyfin.enable = true;
+
+  systemd.services.jellyfin.serviceConfig = {
+    BindReadOnlyPaths = [
+      "/mnt/nixos/media:${cfg.dataDir}/media"
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    jellyfin
+    jellyfin-web
+    jellyfin-ffmpeg
+  ];
+  services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:8920".extraConfig = ''
+    reverse_proxy 127.0.0.1:8096
+  '';
+
+  users.users.jellyfin.extraGroups = [ "render" ];
+  users.groups.media.members = [ cfg.user ];
+}
--- a/machines/weilite/services/media-download.nix
+++ b/machines/weilite/services/media-download.nix
@ -1,15 +1,16 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
+let
+  inherit (config.my-lib.settings)
+    internalDomain
+    ;
+in
 {
+  sops.secrets = {
+    "sonarr/api-key" = { };
+    "radarr/api-key" = { };
+  };
  services.jackett = {
    enable = true;
-    package = pkgs.jackett.overrideAttrs {
-      src = pkgs.fetchFromGitHub {
-        owner = "jackett";
-        repo = "jackett";
-        rev = "v0.22.998";
-        hash = "sha256-CZvgDWxxIAOTkodgmFNuT3VDW6Ln4Mz+Ki7m91f0BgE=";
-      };
-    };
    openFirewall = false;
  };

@ -27,4 +28,25 @@
  services.radarr = {
    enable = true;
  };
+
+  services.prometheus.exporters.exportarr-sonarr = {
+    enable = true;
+    url = "http://127.0.0.1:8989";
+    apiKeyFile = config.sops.secrets."sonarr/api-key".path;
+    listenAddress = "weilite.${internalDomain}";
+    port = 21560;
+  };
+
+  services.prometheus.exporters.exportarr-radarr = {
+    enable = true;
+    url = "http://127.0.0.1:7878";
+    apiKeyFile = config.sops.secrets."radarr/api-key".path;
+    listenAddress = "weilite.${internalDomain}";
+    port = 21561;
+  };
+
+  users.groups.media.members = [
+    config.services.sonarr.user
+    config.services.radarr.user
+  ];
 }
--- a/machines/weilite/services/ocis.nix
+++ b/machines/weilite/services/ocis.nix
@ -27,7 +27,6 @@
    # environmentFile = config.sops.secrets."ocis/env".path;
  };

-  networking.firewall.allowedTCPPorts = [ 8443 ];
  services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = ''
    reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port}
  '';
--- a/machines/weilite/services/restic.nix
+++ b/machines/weilite/services/restic.nix
@ -34,14 +34,14 @@ in

  services.restic.backups = builtins.listToAttrs [
    (mkPrune "xin" "calcite")
-    (mkPrune "xin" "massicot")
    (mkPrune "xin" "biotite")
    (mkPrune "xin" "thorite")
  ];

-  networking.firewall.allowedTCPPorts = [ 8443 ];
-
  services.caddy.virtualHosts."https://backup.xinyang.life:8443".extraConfig = ''
+    tls {
+      dns dnspod {env.DNSPOD_API_TOKEN}
+    }
    reverse_proxy ${config.services.restic.server.listenAddress}
  '';
 }
--- a/machines/weilite/services/transmission.nix
+++ b/machines/weilite/services/transmission.nix
@ -0,0 +1,99 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.transmission;
+  inherit (config.my-lib.settings) transmissionExporterUrl;
+in
+{
+  sops.secrets = {
+    "transmission/rpc-password" = { };
+  };
+
+  sops.templates."transmission-cred.json" = {
+    content = builtins.toJSON {
+      rpc-password = config.sops.placeholder."transmission/rpc-password";
+    };
+  };
+
+  sops.templates."transmission-cred.env" = {
+    content = ''
+      TRANSMISSION_PASSWORD=${config.sops.placeholder."transmission/rpc-password"}
+    '';
+  };
+
+  services.transmission = {
+    enable = true;
+    package = pkgs.transmission_4;
+    openPeerPorts = true;
+    credentialsFile = config.sops.templates."transmission-cred.json".path;
+    settings = {
+      download-dir = "/mnt/nixos/media";
+      incomplete-dir = "/mnt/nixos/transmission/incomplete";
+      alt-speed-down = 40960;
+      alt-speed-enabled = true;
+      alt-speed-time-begin = 60;
+      alt-speed-time-day = 127;
+      alt-speed-time-enabled = true;
+      alt-speed-time-end = 420;
+      alt-speed-up = 4096;
+      bind-address-ipv4 = "0.0.0.0";
+      bind-address-ipv6 = "::";
+      download-queue-enabled = true;
+      download-queue-size = 10;
+      incomplete-dir-enabled = true;
+      lpd-enabled = false;
+      message-level = 4;
+      peer-congestion-algorithm = "";
+      peer-id-ttl-hours = 6;
+      peer-limit-global = 200;
+      peer-limit-per-torrent = 50;
+      peer-port = 51413;
+      peer-socket-tos = "cs1";
+      pex-enabled = true;
+      preallocation = 1;
+      prefetch-enabled = true;
+      queue-stalled-enabled = true;
+      queue-stalled-minutes = 30;
+      rename-partial-files = true;
+      rpc-bind-address = "127.0.0.1";
+      rpc-enabled = true;
+      rpc-authentication-required = true;
+      rpc-port = 9092;
+      rpc-username = "xin";
+      rpc-whitelist = "127.0.0.1";
+      speed-limit-down = 20480;
+      speed-limit-down-enabled = true;
+      speed-limit-up = 3072;
+      speed-limit-up-enabled = true;
+      start-added-torrents = true;
+      watch-dir-enabled = false;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 9091 ];
+  services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:9091".extraConfig = ''
+    reverse_proxy 127.0.0.1:${toString cfg.settings.rpc-port}
+  '';
+
+  systemd.services.prometheus-transmission-exporter = {
+    enable = true;
+    wantedBy = [ "transmission.service" ];
+    environment = {
+      WEB_ADDR = transmissionExporterUrl;
+      TRANSMISSION_ADDR = "http://127.0.0.1:${toString cfg.settings.rpc-port}";
+      TRANSMISSION_USERNAME = "xin";
+    };
+    after = [ "tailscaled.service" ];
+    wants = [ "tailscaled.service" ];
+    serviceConfig = {
+      ExecStart = "${lib.getExe pkgs.transmission-exporter}";
+      EnvironmentFile = config.sops.templates."transmission-cred.env".path;
+    };
+  };
+
+  users.groups.media.members = [ cfg.user ];
+}
--- a/machines/weilite/services/webdav.nix
+++ b/machines/weilite/services/webdav.nix
@ -0,0 +1,47 @@
+{ config, ... }:
+{
+
+  sops.secrets = {
+    "webdav/photosync/password" = { };
+  };
+
+  sops.templates."webdav.env" = {
+    content = ''
+      PHOTOSYNC_PASSWORD=${config.sops.placeholder."webdav/photosync/password"}
+    '';
+  };
+
+  services.webdav = {
+    enable = true;
+    settings = {
+      address = "127.0.0.1";
+      port = "16065";
+      permissions = "CRUD";
+      behindProxy = true;
+      users = [
+        {
+          username = "photosync";
+          password = "{env}PHOTOSYNC_PASSWORD";
+        }
+      ];
+    };
+    group = "privimg";
+    environmentFile = config.sops.templates."webdav.env".path;
+  };
+
+  systemd.services.webdav.serviceConfig = {
+    BindPaths = [
+      "/mnt/photos/xin/originals:%t/webdav/photosync"
+    ];
+    RuntimeDirectory = "webdav";
+    WorkingDirectory = "%t/webdav";
+  };
+
+  users.users."${config.services.webdav.user}".extraGroups = [
+    "privimg"
+  ];
+
+  services.caddy.virtualHosts."https://weilite.coho-tet.ts.net:6065".extraConfig = ''
+    reverse_proxy 127.0.0.1:16065
+  '';
+}
--- a/modules/home-manager/fish.nix
+++ b/modules/home-manager/fish.nix
@ -91,10 +91,6 @@ in
                  ${pkgs.comma}/bin/comma $argv
                end
                set -gx LS_COLORS (${lib.getExe pkgs.vivid} generate catppuccin-mocha)
-                alias ctlsp="systemctl stop"
-                alias ctlst="systemctl start"
-                alias ctlrt="systemctl restart"
-                alias ctls="systemctl status"
              ''
            else
              "";
--- a/modules/home-manager/gui/niri.nix
+++ b/modules/home-manager/gui/niri.nix
@ -34,10 +34,6 @@ in
  };

  config = mkIf cfg.enable {
-    home.packages = with pkgs; [
-      cosmic-files
-    ];
-
    systemd.user.services.xwayland-satellite = {
      Install = {
        WantedBy = [ "graphical-session.target" ];
--- a/modules/home-manager/gui/themes.nix
+++ b/modules/home-manager/gui/themes.nix
@ -13,6 +13,10 @@
        name = "Catppuccin-GTK-Dark";
        package = pkgs.magnetic-catppuccin-gtk;
      };
+      iconTheme = {
+        name = "Qogir";
+        package = pkgs.qogir-icon-theme;
+      };
      gtk2.configLocation = "${config.xdg.configHome}/gtk-2.0/gtkrc";
    };
  };
--- a/modules/home-manager/gui/waybar.nix
+++ b/modules/home-manager/gui/waybar.nix
@ -16,7 +16,66 @@ in
  config = mkIf cfg.enable {
    programs.waybar = {
      enable = true;
-      style = readFile ./waybar.css;
+      style = ''
+        * {
+          font-family: Ubuntu Nerd Font, Noto Sans CJK SC;
+          font-size: 14px;
+          font-weight: bold;
+          min-height: 14px;
+        }
+
+        window#waybar {
+          color: @text;
+          opacity: 0.95;
+          background-color: @crust;
+          padding: 2px;
+        }
+
+        #custom-nixos {
+          background-color: #24273a;
+          padding-left: 15px;
+          padding-right: 18px;
+        }
+
+        #custom-separator {
+          margin: 0 2px;
+        }
+
+        #workspaces {
+          border-radius: 0;
+        }
+        #workspaces button {
+          padding: 0 10px;
+          border-radius: 0;
+        }
+        #workspaces button.focused,
+        #workspaces button.active {
+          border-bottom: 4px solid #8aadf4;
+        }
+        #workspaces button.empty {
+          font-size: 0;
+          min-width: 0;
+          min-height: 0;
+          margin: 0;
+          padding: 0;
+          border: 0;
+          opacity: 0;
+          box-shadow: none;
+        }
+        #cpu,
+        #memory,
+        #pulseaudio,
+        #network,
+        #backlight,
+        #battery,
+        #tray,
+        #custom-notification {
+          margin-right: 15px;
+        }
+        #clock {
+          font-size: 16px;
+        }
+      '';
      settings = {
        main = {
          margin = "2px 3px 2 3px";
@ -44,8 +103,6 @@ in
          modules-right = [
            "network#speed"
            "custom/separator"
-            "network#if"
-            "custom/separator"
            "pulseaudio"
            "custom/separator"
            "memory"
@ -121,22 +178,6 @@ in
            format = "  {percentage}%";
          };

-          "network#if" = {
-            format = "{ifname}";
-            format-disconnected = "󰌙";
-            format-ethernet = "󰌘";
-            format-linked = "{ifname} (No IP)  󰈁";
-            format-wifi = "{icon}";
-            format-icons = [
-              "󰤯"
-              "󰤟"
-              "󰤢"
-              "󰤥"
-              "󰤨"
-            ];
-            interval = 10;
-          };
-
          "network#speed" = {
            format = "{ifname}";
            format-disconnected = "󰌙";
--- a/modules/nixos/common-settings/auth.nix
+++ b/modules/nixos/common-settings/auth.nix
@ -11,6 +11,8 @@ let
    mkEnableOption
    ;

+  inherit (config.my-lib.settings) idpUrl;
+
  cfg = config.commonSettings.auth;
 in
 {
@ -20,9 +22,10 @@ in

  config = mkIf cfg.enable {
    services.kanidm = {
+      package = pkgs.kanidm_1_5;
      enableClient = true;
      clientSettings = {
-        uri = "https://auth.xinyang.life";
+        uri = "https://${idpUrl}";
      };
      enablePam = true;
      unixSettings = {
@ -35,6 +38,7 @@ in
      enable = true;
      authorizedKeysCommand = "/etc/ssh/auth %u";
      authorizedKeysCommandUser = "kanidm-ssh-runner";
+      openFirewall = true;
      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
@ -45,11 +49,11 @@ in
    environment.etc."ssh/auth" = {
      mode = "0555";
      text = ''
-        #!${pkgs.stdenv.shell}
+        #!/bin/sh
        ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
      '';
    };
-    users.groups.wheel.members = [ "xin@auth.xinyang.life" ];
+    users.groups.wheel.members = [ "xin@${idpUrl}" ];
    users.groups.kanidm-ssh-runner = { };
    users.users.kanidm-ssh-runner = {
      isSystemUser = true;
--- a/modules/nixos/common-settings/china-domains.txt
+++ b/modules/nixos/common-settings/china-domains.txt
--- a/modules/nixos/common-settings/comin.nix
+++ b/modules/nixos/common-settings/comin.nix
@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  inherit (lib)
+    mkEnableOption
+    mkIf
+    ;
+
+  cfg = config.commonSettings.comin;
+in
+{
+  options.commonSettings.comin = {
+    enable = mkEnableOption "auto updater with comin";
+  };
+
+  config = {
+    services.comin = mkIf cfg.enable {
+      enable = true;
+      remotes = [
+        {
+          name = "origin";
+          url = "https://github.com/xinyangli/nixos-config.git";
+          branches.main.name = "deploy";
+        }
+      ];
+      hostname = config.networking.hostName;
+      executor.type = "garnix";
+    };
+  };
+}
--- a/modules/nixos/common-settings/mainland.nix
+++ b/modules/nixos/common-settings/mainland.nix
@ -16,9 +16,15 @@ let
  cfg = config.inMainland;
 in
 {
-  options.inMainland = mkOption {
-    type = types.bool;
-    default = config.time.timeZone == "Asia/Shanghai";
+  options = {
+    inMainland = mkOption {
+      type = types.bool;
+      default = config.time.timeZone == "Asia/Shanghai";
+    };
+    commonSettings.network.enableProxy = mkOption {
+      type = types.bool;
+      default = config.inMainland;
+    };
  };

  config = mkIf cfg {
@ -31,8 +37,144 @@ in
      "ntp.ntsc.ac.cn"
    ];

-    services.dae = {
+    sops = mkIf config.commonSettings.network.enableProxy {
+      secrets = {
+        "dae/sub" = {
+          sopsFile = ../../../machines/secrets.yaml;
+        };
+      };
+      templates."dae/sub.dae".content = ''
+        subscription {
+          my_sub: '${config.sops.placeholder."dae/sub"}'
+        }
+      '';
+    };
+
+    systemd.services.dae.serviceConfig.LoadCredential = mkIf config.commonSettings.network.enableProxy [
+      "sub.dae:${config.sops.templates."dae/sub.dae".path}"
+    ];
+
+    services.dae = mkIf config.commonSettings.network.enableProxy {
      enable = mkDefault true;
+      config = ''
+        include {
+          ./sub.dae
+        }
+        global {
+          tproxy_port: 12345
+          tproxy_port_protect: true
+          so_mark_from_dae: 0
+          log_level: info
+          disable_waiting_network: false
+
+          ##### Interface and kernel options.
+          # lan_interface: docker0
+          wan_interface: auto
+
+          auto_config_kernel_parameter: true
+
+          ##### Node connectivity check.
+          tcp_check_url: 'http://cp.cloudflare.com,1.1.1.1,2606:4700:4700::1111'
+          tcp_check_http_method: HEAD
+
+          udp_check_dns: 'dns.quad9.net:53,9.9.9.9,2620:fe::fe'
+
+          check_interval: 30s
+
+          # Group will switch node only when new_latency <= old_latency - tolerance.
+          check_tolerance: 100ms 
+
+          ##### Connecting options.
+
+          
+          dial_mode: ${if config.commonSettings.network.localdns.enable then "domain+" else "domain"}
+          allow_insecure: false
+          sniffing_timeout: 100ms
+          tls_implementation: tls
+          # utls_imitate: firefox_auto
+
+          mptcp: true
+        }
+
+        # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/dns.md for full examples.
+        dns {
+          ipversion_prefer: 4
+
+          upstream {
+        	    globaldns: 'tls://dns.quad9.net'
+        	    cndns: 'quic://dns.alidns.com:853'
+        	    tsdns: 'udp://100.100.100.100'
+        	    localdns: 'udp://127.0.0.1:53' 
+          }
+
+          routing {
+            request {
+              ${
+                if config.commonSettings.network.localdns.enable then
+                  ''
+                    fallback: localdns
+                  ''
+                else
+                  ''
+                    qname(suffix:ts.net) -> tsdns
+                    qname(geosite:cn) -> cndns
+                    fallback: globaldns
+                  ''
+              }
+            }
+          }
+        }
+
+        # Node group (outbound).
+        group {
+          default_group {
+            filter: name(regex: '^(hk)[0-9]+') [add_latency: -30ms]
+            filter: name(regex: '^(la)[0-9]+') [add_latency: -140ms]
+            filter: name(regex: '^(fra)[0-9]+') [add_latency: -150ms]
+            policy: min_moving_avg
+          }
+
+          clean_ip {
+            filter: name(regex: '^(fra)[0-9]+') [add_latency: -150ms]
+            policy: fixed(0)
+          }
+        }
+
+        # See https://github.com/daeuniverse/dae/blob/main/docs/en/configuration/routing.md for full examples.
+        routing {
+          # pname(kresd) && dport(53) && l4proto(udp)-> must_direct
+          # Disable h3 because it usually consumes too much cpu/mem resources.
+          l4proto(udp) && dport(443) -> block
+
+          pname(blackbox_exporter) -> direct
+          pname(tailscaled) -> direct
+          pname(transmission-daemon) -> direct
+          dscp(0x8) -> direct
+
+          dip(224.0.0.0/3, 'ff00::/8') -> direct
+          dip(geoip:private) -> direct
+
+          # Direct traffic to dns server
+          dip(1.12.12.12) -> direct
+          dip(223.5.5.5) -> direct
+          dip(223.6.6.6) -> direct
+
+          # === Force Proxy ===
+          domain(geosite:linkedin) -> default_group
+          domain(full: sourceware.org) -> clean_ip
+
+          # === Custom direct rules ===
+          domain(geosite:cn) -> direct
+          domain(geosite:steam@cn) -> direct
+          domain(suffix:steamserver.net) -> direct
+          domain(suffix:test.steampowered.com) -> direct
+
+          dip(geoip:cn) -> direct
+
+          fallback: default_group
+        }
+      '';
+
    };
  };
 }
--- a/modules/nixos/common-settings/network.nix
+++ b/modules/nixos/common-settings/network.nix
@ -0,0 +1,157 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  inherit (lib) mkEnableOption mkOption mkIf;
+  inherit (config.my-lib.settings)
+    internalDomain
+    ;
+  cfg = config.commonSettings.network;
+in
+{
+  options.commonSettings.network = {
+    localdns = {
+      enable = mkEnableOption "Local DNS resolver";
+      cacheSize = mkOption {
+        type = lib.types.int;
+        description = "Max cache size for knot-resolver in MB";
+        default = 100;
+      };
+    };
+    tailscale = {
+      enable = mkEnableOption "Tailscale client" // {
+        default = true;
+      };
+      before = mkOption {
+        default = [ ];
+        type = lib.types.listOf lib.types.str;
+      };
+    };
+  };
+
+  config = lib.mkMerge [
+    (mkIf cfg.tailscale.enable {
+      sops = {
+        secrets = {
+          "tailscale/authkey" = {
+            sopsFile = ../../../machines/secrets.yaml;
+          };
+        };
+      };
+
+      services.tailscale = {
+        enable = true;
+        openFirewall = true;
+        permitCertUid = mkIf config.services.caddy.enable config.services.caddy.user;
+        extraUpFlags = [ "--accept-routes" ] ++ (lib.optional cfg.localdns.enable "--accept-dns=false");
+        authKeyFile = config.sops.secrets."tailscale/authkey".path;
+      };
+      commonSettings.network.tailscale.before = (
+        lib.optional config.services.caddy.enable "caddy.service"
+      );
+
+      systemd.services.tailscaled.before = cfg.tailscale.before;
+      systemd.services.tailscaled.serviceConfig.ExecStartPost =
+        pkgs.writers.writePython3 "tailscale-wait-online"
+          {
+            flakeIgnore = [
+              "E401" # import on one line
+              "E501" # line length limit
+            ];
+          }
+          ''
+            import subprocess, json, time
+
+            for _ in range(30):
+                status = json.loads(
+                    subprocess.run(
+                        ["${lib.getExe config.services.tailscale.package}", "status", "--peers=false", "--json"], capture_output=True
+                    ).stdout
+                )["Self"]["Online"]
+                if status:
+                    exit(0)
+                time.sleep(1)
+
+            exit(1)
+          '';
+
+    })
+
+    (mkIf cfg.localdns.enable {
+      networking.resolvconf = {
+        enable = true;
+        dnsExtensionMechanism = false;
+        # We should disable local resolver if dae is enabled
+        # to let dns traffic go through dae
+        useLocalResolver = !config.commonSettings.network.enableProxy;
+      };
+      services.resolved.enable = false;
+
+      services.kresd = {
+        enable = true;
+        listenPlain = [ "127.0.0.1:53" ];
+        listenTLS = [ "127.0.0.1:853" ];
+        extraConfig =
+          let
+            listToLuaTable =
+              x:
+              lib.pipe x [
+                (builtins.split "\n")
+                (builtins.filter (s: s != [ ] && s != ""))
+                (lib.strings.concatMapStrings (x: "'${x}',"))
+              ];
+            chinaDomains = listToLuaTable (builtins.readFile ./china-domains.txt);
+            globalSettings = ''
+              log_level("notice")
+              modules = { 'hints > iterate', 'stats', 'predict' }
+              cache.size = ${toString cfg.localdns.cacheSize} * MB
+              trust_anchors.remove(".")
+            '';
+            tsSettings = ''
+              internalDomains = policy.todnames({'${internalDomain}'})
+              policy.add(policy.suffix(policy.STUB({'100.100.100.100'}), internalDomains))
+            '';
+            proxySettings = ''
+              policy.add(policy.domains(
+                policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('8.218.218.229'), ttl=300 } }),
+                { todname('hk-00.namely.icu') }))
+              policy.add(policy.domains(
+                policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('67.230.168.47'), ttl=300 } }),
+                { todname('la-00.namely.icu') }))
+              policy.add(policy.domains(
+                policy.ANSWER({ [kres.type.A] = { rdata=kres.str2ip('185.217.108.59'), ttl=300 } }),
+                { todname('fra-00.namely.icu') }))
+            '';
+            mainlandSettings = ''
+              chinaDomains = policy.todnames({'namely.icu', ${chinaDomains}})
+              policy.add(policy.suffix(policy.TLS_FORWARD({
+                { "223.5.5.5", hostname="dns.alidns.com" },
+                { "223.6.6.6", hostname="dns.alidns.com" },
+              }), chinaDomains))
+              policy.add(policy.all(policy.TLS_FORWARD({
+                { "8.8.8.8", hostname="dns.google" },
+                { "8.8.4.4", hostname="dns.google" },
+              })))
+            '';
+            overseaSettings = ''
+              policy.add(policy.all(policy.TLS_FORWARD({
+                { "8.8.8.8", hostname="dns.google" },
+                { "8.8.4.4", hostname="dns.google" },
+              })))
+            '';
+          in
+          globalSettings
+          + (if config.services.tailscale.enable then tsSettings else "")
+          + (
+            if config.commonSettings.network.enableProxy then
+              proxySettings + mainlandSettings
+            else
+              overseaSettings
+          );
+      };
+    })
+  ];
+}
--- a/modules/nixos/common-settings/nix-conf.nix
+++ b/modules/nixos/common-settings/nix-conf.nix
@ -41,10 +41,13 @@ in

    nix.optimise.automatic = true;

+    nix.channel.enable = false;
+
    nix.settings = {
      experimental-features = [
        "nix-command"
        "flakes"
+        "ca-derivations"
      ];
      auto-optimise-store = true;
      trusted-users = [ "root" ];
--- a/modules/nixos/common-settings/proxy-server.nix
+++ b/modules/nixos/common-settings/proxy-server.nix
@ -176,11 +176,8 @@ in
        reverse_proxy 127.0.0.1:30310
      '';

-      networking.firewall.allowedTCPPorts = [
-        80
-        cfg.trojan.port
-      ];
-      networking.firewall.allowedUDPPorts = [ ] ++ (lib.range 6311 6314);
+      networking.firewall.allowedTCPPorts = [ cfg.trojan.port ];
+      networking.firewall.allowedUDPPorts = lib.range 6311 6314;

      services.sing-box = {
        enable = true;
--- a/modules/nixos/common-settings/server.nix
+++ b/modules/nixos/common-settings/server.nix
@ -0,0 +1,56 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  cfg = config.commonSettings.serverComponents;
+in
+{
+  options = {
+    commonSettings.serverComponents = {
+      enable = lib.mkEnableOption "Common components on servers";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+
+    services.caddy = {
+      enable = true;
+      package = pkgs.caddy.withPlugins {
+        plugins = [
+          "github.com/caddy-dns/cloudflare@v0.2.1"
+        ];
+        hash = "sha256-saKJatiBZ4775IV2C5JLOmZ4BwHKFtRZan94aS5pO90=";
+      };
+    };
+
+    services.caddy.globalConfig = ''
+      servers {
+        metrics
+      }
+
+      admin unix//var/run/caddy/admin.sock {
+        origins 127.0.0.1 ${config.networking.hostName}.coho-tet.ts.net:2019
+      }
+    '';
+
+    systemd.services.caddy.serviceConfig = {
+      RuntimeDirectory = "caddy";
+      RuntimeDirectoryMode = "0700";
+    };
+
+    custom.monitoring = {
+      promtail.enable = true;
+    };
+
+    custom.prometheus.exporters = {
+      enable = true;
+      node.enable = true;
+    };
+  };
+}
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -2,9 +2,12 @@
  imports = [
    ./common-settings/auth.nix
    ./common-settings/autoupgrade.nix
+    ./common-settings/comin.nix
    ./common-settings/nix-conf.nix
    ./common-settings/proxy-server.nix
    ./common-settings/mainland.nix
+    ./common-settings/network.nix
+    ./common-settings/server.nix
    ./disk-partitions
    ./restic.nix
    ./monitor
--- a/modules/nixos/forgejo-actions-runner.nix
+++ b/modules/nixos/forgejo-actions-runner.nix
@ -1,45 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-let
-  cfg = config.custom.forgejo-actions-runner;
-  settingsFormat = pkgs.formats.yaml { };
-in
-{
-  options = {
-    custom.forgejo-actions-runner = {
-      enable = lib.mkEnableOption "TPM supported ssh agent in go";
-      tokenFile = lib.mkOption { type = lib.types.path; };
-      settings = lib.mkOption {
-        type = lib.types.submodule {
-          freeformType = settingsFormat.type;
-        };
-
-        default = { };
-      };
-    };
-  };
-  config = lib.mkIf cfg.enable {
-    virtualisation.docker.enable = true;
-    services.gitea-actions-runner.package = pkgs.forgejo-actions-runner;
-    services.gitea-actions-runner.instances = {
-      "git.xinyang.life" = {
-        enable = true;
-        url = "https://git.xinyang.life";
-        tokenFile = cfg.tokenFile;
-        name = config.networking.hostName;
-        labels = [
-          "debian-latest:docker://node:18-bullseye"
-          "ubuntu-latest:docker://node:18-bullseye"
-          "nix:docker://xiny/nix-runner:2.21.0-pkgs-23.11"
-        ];
-        settings = {
-          container.network = "host";
-        } // cfg.settings;
-      };
-    };
-  };
-}
--- a/modules/nixos/kanidm-client.nix
+++ b/modules/nixos/kanidm-client.nix
@ -1,80 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-with lib;
-
-let
-  cfg = config.custom.kanidm-client;
-in
-{
-  options = {
-    custom.kanidm-client = {
-      enable = mkEnableOption "Kanidm client service";
-      asSSHAuth = mkOption {
-        type = types.submodule {
-          options = {
-            enable = mkEnableOption "Kanidm as system authentication source";
-            allowedGroups = mkOption {
-              type = types.listOf types.str;
-              example = [ "linux_users" ];
-            };
-            hardening = mkOption {
-              type = types.bool;
-              default = false;
-            };
-          };
-        };
-      };
-      sudoers = mkOption {
-        type = types.listOf types.str;
-        default = [ ];
-      };
-      uri = mkOption { type = types.str; };
-    };
-  };
-  config = mkIf cfg.enable {
-    services.kanidm = mkMerge [
-      (mkIf cfg.enable {
-        enableClient = true;
-        clientSettings = {
-          uri = cfg.uri;
-        };
-      })
-      (mkIf cfg.asSSHAuth.enable {
-        enablePam = true;
-        unixSettings = {
-          pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups;
-          default_shell = "/bin/sh";
-        };
-      })
-    ];
-    services.openssh = mkIf cfg.asSSHAuth.enable {
-      enable = true;
-      authorizedKeysCommand = "/etc/ssh/auth %u";
-      authorizedKeysCommandUser = "kanidm-ssh-runner";
-      settings = mkIf cfg.asSSHAuth.enable {
-        PasswordAuthentication = false;
-        KbdInteractiveAuthentication = false;
-        PermitRootLogin = lib.mkForce "no";
-      };
-    };
-
-    environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable {
-      mode = "0555";
-      text = ''
-        #!${pkgs.stdenv.shell}
-        ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
-      '';
-    };
-    users.groups.wheel.members = cfg.sudoers;
-    users.groups.kanidm-ssh-runner = { };
-    users.users.kanidm-ssh-runner = {
-      isSystemUser = true;
-      group = "kanidm-ssh-runner";
-    };
-
-  };
-}
--- a/modules/nixos/monitor/default.nix
+++ b/modules/nixos/monitor/default.nix
@ -119,12 +119,9 @@ in
                name = "ntfy";
                webhook_configs = [
                  {
-                    url = "${ntfyUrl}/prometheus-alerts?tpl=yes&m=${lib.escapeURL ''
-                      {{range .alerts}}[{{ if eq .status "resolved" }}✅ RESOLVED{{ else }}{{ if eq .status "firing" }}🔥 FIRING{{end}}{{end}}]{{range $k,$v := .labels}}
-                      {{$k}}={{$v}}{{end}}
-
-                      {{end}}''}";
+                    url = "${ntfyUrl}/prometheus-alerts?tpl=yes&m=%7B%7Brange%20.alerts%7D%7D%7B%7B%20if%20eq%20.status%20%22resolved%22%20%7D%7D%E2%9C%85%7B%7B%20else%20%7D%7D%7B%7B%20if%20eq%20.status%20%22firing%22%20%7D%7D%F0%9F%94%A5%7B%7Bend%7D%7D%7B%7Bend%7D%7D%7B%7B.labels.alertname%7D%7D%0A%7B%7B.annotations.summary%7D%7D%0A%7B%7Bend%7D%7D";
                    send_resolved = true;
+                    max_alerts = 10;
                  }
                ];
              }
@ -158,7 +155,7 @@ in
                severity = "critical";
              };
              annotations = {
-                summary = "Job {{ $labels.job }} down for 1m.";
+                summary = "Instance {{ $labels.instance }} of {{ $labels.job }} is down.";
              };
            }
          ];
--- a/modules/nixos/monitor/exporters.nix
+++ b/modules/nixos/monitor/exporters.nix
@ -5,17 +5,15 @@
  ...
 }:
 let
-  inherit (lib) mkIf concatStringsSep;
+  inherit (lib) mkIf getExe;
  inherit (config.my-lib.settings) prometheusCollectors;
  cfg = config.custom.prometheus.exporters;
 in
 {
  config = {
-    systemd.services.tailscaled.after =
+    commonSettings.network.tailscale.before =
      (lib.optional cfg.node.enable "prometheus-node-exporters.service")
-      ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service")
-      ++ (lib.optional config.services.caddy.enable "caddy.service");
-
+      ++ (lib.optional cfg.blackbox.enable "prometheus-blackbox-exporters.service");
    services.prometheus.exporters.node = mkIf cfg.node.enable {
      enable = true;
      enabledCollectors = [
@ -98,26 +96,6 @@ in

    services.ntfy-sh.settings.enable-metrics = true;

-    services.caddy.globalConfig = ''
-      servers {
-        metrics
-      }
-
-      admin unix//var/run/caddy/admin.sock {
-        origins 127.0.0.1 ${config.networking.hostName}.coho-tet.ts.net:2019
-      }
-    '';
-
-    systemd.services.caddy.serviceConfig = {
-      RuntimeDirectory = "caddy";
-      RuntimeDirectoryMode = "0700";
-    };
-
-    services.tailscale = {
-      permitCertUid = config.services.caddy.user;
-      openFirewall = true;
-    };
-
    services.caddy = {
      virtualHosts."https://${config.networking.hostName}.coho-tet.ts.net:2019".extraConfig = ''
        handle /metrics {
--- a/modules/nixos/monitor/grafana.nix
+++ b/modules/nixos/monitor/grafana.nix
@ -22,9 +22,9 @@ in
          name = "Kanidm";
          client_id = "grafana";
          scopes = "openid,profile,email,groups";
-          auth_url = "${idpUrl}/ui/oauth2";
-          token_url = "${idpUrl}/oauth2/token";
-          api_url = "${idpUrl}/oauth2/openid/grafana/userinfo";
+          auth_url = "https://${idpUrl}/ui/oauth2";
+          token_url = "https://${idpUrl}/oauth2/token";
+          api_url = "https://${idpUrl}/oauth2/openid/grafana/userinfo";
          use_pkce = true;
          use_refresh_token = true;
          allow_sign_up = true;
--- a/modules/nixos/monitor/loki.nix
+++ b/modules/nixos/monitor/loki.nix
@ -15,6 +15,7 @@ let
    ;
  inherit (config.my-lib.settings)
    alertmanagerPort
+    internalDomain
    ;
  cfg = config.custom.monitoring;
  lokiPort = 3100;
@ -94,16 +95,17 @@ in
        rulerFile = pkgs.writeText "ruler.yml" (builtins.toJSON rulerConfig);
      in
      mkIf cfg.loki.enable {
+        systemd.services.loki.serviceConfig.After = "tailscaled.service";
        services.loki = {
          enable = true;
          configuration = {
            auth_enabled = false;
-            server.http_listen_address = "${config.networking.hostName}.coho-tet.ts.net";
+            server.http_listen_address = "${config.networking.hostName}.${internalDomain}";
            server.http_listen_port = lokiPort;

            common = {
              ring = {
-                instance_addr = "${config.networking.hostName}.coho-tet.ts.net";
+                instance_addr = "${config.networking.hostName}.${internalDomain}";
                kvstore.store = "inmemory";
              };
              replication_factor = 1;
@ -160,7 +162,7 @@ in
        configuration = {

          server = {
-            http_listen_address = "${config.networking.hostName}.coho-tet.ts.net";
+            http_listen_address = "${config.networking.hostName}.${internalDomain}";
            http_listen_port = 28183;
            grpc_listen_port = 0;
          };
@ -169,7 +171,7 @@ in

          clients = [
            {
-              url = "http://thorite.coho-tet.ts.net:${toString lokiPort}/loki/api/v1/push";
+              url = "http://thorite.${internalDomain}:${toString lokiPort}/loki/api/v1/push";
            }
          ];

--- a/modules/nixos/vaultwarden.nix
+++ b/modules/nixos/vaultwarden.nix
@ -1,52 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-
-with lib;
-
-let
-  cfg = config.custom.vaultwarden;
-in
-{
-  options = {
-    custom.vaultwarden = {
-      enable = mkEnableOption "vaultwarden server";
-      domain = mkOption {
-        type = types.str;
-        default = "bitwarden.example.com";
-        description = "Domain name of the vaultwarden server";
-      };
-      caddy = mkOption {
-        type = types.bool;
-        default = true;
-        description = "Enable Caddy as reverse proxy";
-      };
-      # TODO: mailserver support
-    };
-  };
-  config = mkIf cfg.enable {
-    services.vaultwarden = {
-      enable = true;
-      dbBackend = "sqlite";
-      config = {
-        DOMAIN = "https://${cfg.domain}";
-        SIGNUPS_ALLOWED = false;
-
-        ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = 8222;
-
-        ROCKET_LOG = "critical";
-      };
-    };
-    services.caddy = mkIf cfg.caddy {
-      enable = true;
-
-      virtualHosts."https://${cfg.domain}".extraConfig = ''
-        reverse_proxy ${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}
-      '';
-    };
-  };
-}
--- a/note.md
+++ b/note.md
@ -2,9 +2,15 @@

 Demonstrate disk usage by nix-store path.

+## Tools
+
+- new sops key should be added by using `sops updatekeys`
+
 ## TODO
 - [x] change caddy admin to unix socket 
 - [ ] admin config persist = false
 - [x] synapse jmalloc
 - [ ] backup all directories under /var/lib/forgejo
 - [ ] collect caddy access logs with promtail (waiting for caddy v2.9.0 release after which log file mode can be set)
+- [ ] update "https" to "https-file" with dae 1.0.0
+- [ ] move away from dnspod
--- a/overlays/add-pkgs.nix
+++ b/overlays/add-pkgs.nix
@ -9,4 +9,6 @@
      "idbloader.img"
    ];
  };
+
+  transmission-exporter = prev.callPackage ./pkgs/transmission-exporter.nix { };
 })
--- a/overlays/my-lib/prometheus.nix
+++ b/overlays/my-lib/prometheus.nix
@ -1,6 +1,9 @@
 let
  mkFunction = f: (targets: (map f targets));
  mkPort = port: if isNull port then "" else ":${toString port}";
+
+  # get text before "." in the url
+  subdomain = url: builtins.elemAt (builtins.elemAt (builtins.split "([a-zA-Z0-9]+)\..*" url) 1) 0;
 in
 {
  mkScrapes = mkFunction (
@ -129,8 +132,7 @@ in
            severity = "critical";
          };
          annotations = {
-            summary = "Systemd has failed units on {{ $labels.instance }}";
-            description = "There are {{ $value }} failed units on {{ $labels.instance }}. Immediate attention required!";
+            summary = "{{ $labels.job }} failed on {{ $labels.instance }}.";
          };
        }
        {
@ -141,7 +143,7 @@ in
            severity = "warning";
          };
          annotations = {
-            summary = "High load average detected on {{ $labels.instance }}";
+            summary = "High load average on {{ $labels.instance }}.";
            description = "The 1-minute load average ({{ $value }}) exceeds 80% the number of CPUs.";
          };
        }
@ -164,7 +166,7 @@ in
            severity = "warning";
          };
          annotations = {
-            summary = "High disk usage on {{ $labels.instance }}";
+            summary = "Disk usage exceeeds 85% on {{ $labels.instance }}";
          };
        }
        {
@ -177,7 +179,6 @@ in
          };
          annotations = {
            summary = "Disk usage will exceed 95% in 12 hours on {{ $labels.instance }}";
-            description = "Disk {{ $labels.mountpoint }} is predicted to exceed 92% usage within 12 hours at current growth rate";
          };
        }
        {
@ -188,8 +189,7 @@ in
            severity = "warning";
          };
          annotations = {
-            summary = "High swap usage on {{ $labels.instance }}";
-            description = "Swap usage is above 80% for 5 minutes\n Current value: {{ $value }}%";
+            summary = "Swap usage above 80% on {{ $labels.instance }}";
          };
        }
        {
@ -228,7 +228,7 @@ in
      ...
    }:
    {
-      job_name = "blackbox(${hostAddress})";
+      job_name = "blackbox(${subdomain hostAddress})";
      scrape_interval = "1m";
      metrics_path = "/probe";
      params = {
@ -268,14 +268,14 @@ in
      inherit name;
      rules = [
        {
-          alert = "ProbeError";
-          expr = "probe_success != 1";
+          alert = "ProbeToError";
+          expr = "sum by(instance) (probe_success != 1) > 0";
          for = "3m";
          labels = {
            severity = "critical";
          };
          annotations = {
-            summary = "Probing {{ $labels.instance }} from {{ $labels.from }} failed";
+            summary = "Probing {{ $labels.instance }} failed";
          };
        }
        {
--- a/overlays/my-lib/settings.nix
+++ b/overlays/my-lib/settings.nix
@ -1,7 +1,7 @@
 {
  settings = {
    alertmanagerPort = 9093;
-    idpUrl = "https://auth.xinyang.life";
+    idpUrl = "auth.xiny.li";
    gotosocialUrl = "https://gts.xiny.li";
    minifluxUrl = "https://rss.xiny.li";
    hedgedocDomain = "docs.xiny.li";
@ -13,8 +13,12 @@
    synapseUrl = "https://xiny.li";
    synapseDelegateUrl = "https://synapse.xiny.li";

+    transmissionExporterUrl = "weilite.coho-tet.ts.net:19091";
+
    prometheusCollectors = [
      "thorite.coho-tet.ts.net"
    ];
+
+    internalDomain = "coho-tet.ts.net";
  };
 }
--- a/overlays/pkgs/transmission-exporter.nix
+++ b/overlays/pkgs/transmission-exporter.nix
@ -0,0 +1,32 @@
+{
+  lib,
+  fetchFromGitHub,
+  buildGoModule,
+}:
+buildGoModule rec {
+  pname = "transmission-exporter";
+  version = "0-unstable-2024-10-09";
+  rev = "v${version}";
+
+  src = fetchFromGitHub {
+    rev = "a7872aa2975c7a95af680c51198f4a363e226c8f";
+    owner = "metalmatze";
+    repo = "transmission-exporter";
+    sha256 = "sha256-Ky7eCvC1AqHheqGGOGBNKbtVgg4Y8hDG67gCVlpUwZo=";
+  };
+
+  vendorHash = "sha256-YhmfrM5iAK0zWcUM7LmbgFnH+k2M/tE+f/QQIQmQlZs=";
+
+  ldflags = [
+    "-X github.com/prometheus/common/version.Version=${version}"
+    "-X github.com/prometheus/common/version.Revision=${rev}"
+  ];
+
+  meta = {
+    description = "Prometheus exporter for Transmission torrent client.";
+    homepage = "https://github.com/pborzenkov/transmission-exporter";
+    mainProgram = "transmission-exporter";
+    license = [ lib.licenses.mit ];
+    maintainers = [ lib.maintainers.xinyangli ];
+  };
+}
--- a/scripts/update-china-list.sh
+++ b/scripts/update-china-list.sh
@ -0,0 +1,11 @@
+output_file="modules/nixos/common-settings/china-domains.txt"
+curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/accelerated-domains.china.raw.txt" > "$output_file"
+curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/apple.china.raw.txt" >> "$output_file"
+curl "https://raw.githubusercontent.com/peeweep/dnsmasq-china-list-raw/refs/heads/master/google.china.raw.txt" >> "$output_file"
+# extra rules
+cat >> $output_file <<- EOM
+test.steampowered.com
+steamserver.net
+api.steampowered.com
+EOM
+