diff --git a/flake.nix b/flake.nix
index f3b3633..e5d7755 100644
--- a/flake.nix
+++ b/flake.nix
@@ -115,7 +115,6 @@
 
           massicot = { name, nodes, pkgs, ... }: with inputs; {
               deployment.targetHost = "49.13.13.122";
-              deployment.targetUser = "xin";
 
               imports = [
                   { nixpkgs.system = "aarch64-linux"; }
diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix
index 3309e68..4354bcd 100644
--- a/machines/calcite/configuration.nix
+++ b/machines/calcite/configuration.nix
@@ -119,13 +119,9 @@
 
   services.kanidm = {
     enableClient = true;
-    enablePam = true;
     clientSettings = {
       uri = "https://auth.xinyang.life";
     };
-    unixSettings = {
-      pam_allowed_login_groups = [ "linux_users" "xin@auth.xinyang.life" "test" ];
-    };
   };
 
   # Enable automatic login for the user.
diff --git a/machines/dolomite/default.nix b/machines/dolomite/default.nix
index f03d8b4..e10df8b 100644
--- a/machines/dolomite/default.nix
+++ b/machines/dolomite/default.nix
@@ -46,6 +46,32 @@
       };
     };
 
+    custom.kanidm-client = {
+      enable = true;
+      uri = "https://auth.xinyang.life/";
+      asSSHAuth = {
+        enable = true;
+        allowedGroups = [ "linux_users" ];
+      };
+      sudoers = [ "xin@auth.xinyang.life" ];
+    };
+
+    services.openssh = {
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = lib.mkForce "no";
+        GSSAPIAuthentication = "no";
+        KerberosAuthentication = "no";
+      };
+    };
+    services.fail2ban.enable = true;
+
+    security.sudo = {
+      execWheelOnly = true;
+      wheelNeedsPassword = false;
+    };
+
     services.sing-box = let
       singTls = {
         enabled = true;
diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix
index 98328f3..283dadb 100644
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@@ -62,31 +62,33 @@
     hostName = "massicot";
   };
 
+  custom.kanidm-client = {
+    enable = true;
+    uri = "https://auth.xinyang.life/";
+    asSSHAuth = {
+      enable = true;
+      allowedGroups = [ "linux_users" ];
+    };
+    sudoers = [ "xin@auth.xinyang.life" ];
+  };
+
+  security.sudo = {
+      execWheelOnly = true;
+      wheelNeedsPassword = false;
+    };
+
   services.openssh = {
     enable = true;
     settings = {
       PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "no";
+      GSSAPIAuthentication = "no";
+      KerberosAuthentication = "no";
     };
   };
+
+  services.fail2ban.enable = true;
   
   systemd.services.sshd.wantedBy = pkgs.lib.mkForce [ "multi-user.target" ];
-  
-  users.users.xin = {
-    isNormalUser = true;
-    extraGroups = [ "wheel" "networkmanager" ];
-    openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPBcSvUQnmMFtpftFKIsDqeyUyZHzRg5ewgn3VEcLnss"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIInPn+7cMbH7zCEPJArU/Ot6oq8NHo8a2rYaCfTp7zgd"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPeNQ43f/ce4VxVPsAaKPPTp8rokQpmwNIsOX7JBZq4A"
-    ];
-    hashedPassword = "$y$j9T$JOJn97hZndiDamUmmT.iq.$ue7gNZz/b14ur8GhyutOCvFjsv.3rcsHmk7m.WRk6u7";
-  };
-
-  security.sudo.extraRules = [
-    { users = [ "xin" ];
-      commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ];
-    }
-  ];
-
-  
 }
diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix
index e5ecdcc..9c7504e 100644
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@@ -40,7 +40,7 @@ in
     value = { 
       device = "//u380335-sub1.your-storagebox.de/u380335-sub1/${share}";
       fsType = "cifs";
-      options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path}"];
+      options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path},rw,x-systemd.automount"];
     };
   }) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ] );
 
@@ -112,6 +112,7 @@ in
         ROOT_URL = "https://git.xinyang.life/";
         START_SSH_SERVER = true;
         BUILTIN_SSH_SERVER_USER = "git";
+        SSH_USER = "git";
         SSH_DOMAIN = "ssh.xinyang.life";
         SSH_PORT = 2222;
         LFS_MAX_FILE_SIZE = 10737418240;
@@ -138,6 +139,15 @@ in
     };
   };
 
+  users.users.git = {
+    isSystemUser = true;
+    useDefaultShell = true;
+    group = "git";
+    extraGroups = [ "forgejo" ];
+  };
+  users.groups.git = { };
+
+
   services.caddy = {
     enable = true;
     virtualHosts."xinyang.life:443".extraConfig = ''
diff --git a/modules/home-manager/vscode.nix b/modules/home-manager/vscode.nix
index d3b604c..38e70e9 100644
--- a/modules/home-manager/vscode.nix
+++ b/modules/home-manager/vscode.nix
@@ -67,7 +67,7 @@ in
           80
         ];
         "editor.mouseWheelZoom" = true;
-        "git.autofetch" = true;
+        "git.autofetch" = false;
         "window.zoomLevel" = -1;
 
         "nix.enableLanguageServer" = true;
diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix
index 81ab1d0..3ba4a9b 100644
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@@ -6,5 +6,6 @@
     ./prometheus.nix
     ./hedgedoc.nix
     ./sing-box.nix
+    ./kanidm-client.nix
   ];
 }
diff --git a/modules/nixos/kanidm-client.nix b/modules/nixos/kanidm-client.nix
new file mode 100644
index 0000000..8821fc1
--- /dev/null
+++ b/modules/nixos/kanidm-client.nix
@@ -0,0 +1,64 @@
+{ config, pkgs, lib, ... }:
+with lib;
+
+let
+  cfg = config.custom.kanidm-client;
+in
+{
+  options = {
+    custom.kanidm-client = {
+      enable = mkEnableOption "Kanidm client service";
+      asSSHAuth = mkOption {
+        type = types.submodule {
+          options = {
+            enable = mkEnableOption "Kanidm as system authentication source";
+            allowedGroups = mkOption {
+              type = types.listOf types.str;
+              example = [ "linux_users" ];
+            };
+          };
+        };
+      };
+      sudoers = mkOption {
+        type = types.listOf types.str;
+        default = [ ];
+      };
+      uri = mkOption {
+        type = types.str;
+      };
+    };
+  };
+  config = mkIf cfg.enable {
+    services.kanidm = mkMerge
+      [ (mkIf cfg.enable {
+          enableClient = true;
+          clientSettings = {
+            uri = cfg.uri;
+          };
+        })
+        (mkIf cfg.asSSHAuth.enable {
+           enablePam = true;
+           unixSettings = {
+             pam_allowed_login_groups = cfg.asSSHAuth.allowedGroups;
+             default_shell = "/bin/sh";
+           };
+        })
+      ];
+    services.openssh = mkIf cfg.asSSHAuth.enable {
+      enable = true;
+      authorizedKeysCommand = "/etc/ssh/auth %u";
+      authorizedKeysCommandUser = "kanidm-ssh-runner"; 
+    };
+    environment.etc."ssh/auth" = mkIf cfg.asSSHAuth.enable {
+      mode = "0555";
+      text = ''
+        #!${pkgs.stdenv.shell}
+        ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
+      '';
+    };
+    users.groups.wheel.members = cfg.sudoers;
+    users.groups.kanidm-ssh-runner = { };
+    users.users.kanidm-ssh-runner = { isSystemUser = true; group = "kanidm-ssh-runner"; };
+  };
+}
+