diff --git a/flake.lock b/flake.lock
index e74d8bd..70b6d93 100644
--- a/flake.lock
+++ b/flake.lock
@@ -222,11 +222,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1722304333,
-        "narHash": "sha256-fC+PkQuMo1DykB7my6VLPOQi6ugnZuOGdGmAAKCmFVY=",
+        "lastModified": 1722309060,
+        "narHash": "sha256-lJ5auEUvSI0H0GwW5yWLgizvJ2A+N4aL2u2Xqa6JVCc=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "6cfe9fb0882d3d57fd67c783905757bb10b9115e",
+        "rev": "e491266f3f0e1fee7709c4d3d68130b5500dcd46",
         "type": "github"
       },
       "original": {
diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix
new file mode 100644
index 0000000..0fdb7b1
--- /dev/null
+++ b/machines/massicot/kanidm-provision.nix
@@ -0,0 +1,78 @@
+{
+  enable = true;
+  autoRemove = true;
+  groups = {
+    forgejo-access = {
+      members = [ "xin" ];
+    };
+    gts-users = {
+      members = [ "xin" ];
+    };
+    ocis-users = {
+      members = [ "xin" ];
+    };
+    linux_users = {
+      members = [ "xin" ];
+    };
+    hedgedoc-users = {
+      members = [ "xin" ];
+    };
+    immich-users = {
+      members = [ "xin" "zhuo" ];
+    };
+  };
+  persons = {
+    xin = {
+      displayName = "Xinyang Li";
+      mailAddresses = [ "lixinyang411@gmail.com" ];
+    };
+    
+    zhuo = {
+      displayName = "Zhuo";
+      mailAddresses = [ "13681104320@163.com" ];
+    };
+  };
+  systems.oauth2 = {
+    forgejo = {
+      displayName = "ForgeJo";
+      originUrl = "https://git.xinyang.life/";
+      originLanding = "	https://git.xinyang.life/user/oauth2/kandim";
+      allowInsecureClientDisablePkce = true;
+      scopeMaps = {
+        forgejo-access = [ "openid" "email" "profile" "groups" ];
+      };
+    };
+    gts = {
+      displayName = "GoToSocial";
+      originUrl = "https://xinyang.life/";
+      allowInsecureClientDisablePkce = true;
+      scopeMaps = {
+        gts-users = [ "openid" "email" "profile" "groups" ];
+      };
+    };
+    owncloud = {
+      displayName = "ownCloud";
+      originUrl = "https://home.xinyang.life:9201/";
+      public = true;
+      scopeMaps = {
+        ocis-users = [ "openid" "email" "profile" ];
+      };
+    };
+    hedgedoc = {
+      displayName = "HedgeDoc";
+      originUrl = "https://docs.xinyang.life/";
+      allowInsecureClientDisablePkce = true;
+      scopeMaps = {
+        hedgedoc-users = [ "openid" "email" "profile" ];
+      };
+    };
+    immich-mobile = {
+      displayName = "Immich";
+      originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
+      allowInsecureClientDisablePkce = true;
+      scopeMaps = {
+        immich-users = [ "openid" "email" "profile" ];
+      };
+    };
+  };
+}
\ No newline at end of file
diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix
index 2bb6541..6c87d4a 100644
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@@ -73,84 +73,7 @@ in
       tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
       # db_path = "/var/lib/kanidm/kanidm.db";
     };
-    provision = {
-      enable = true;
-      autoRemove = true;
-      groups = {
-        forgejo-access = {
-          members = [ "xin" ];
-        };
-        gts-users = {
-          members = [ "xin" ];
-        };
-        ocis-users = {
-          members = [ "xin" ];
-        };
-        linux_users = {
-          members = [ "xin" ];
-        };
-        hedgedoc-users = {
-          members = [ "xin" ];
-        };
-        immich-users = {
-          members = [ "xin" "zhuo" ];
-        };
-      };
-      persons = {
-        xin = {
-          displayName = "Xinyang Li";
-          mailAddresses = [ "lixinyang411@gmail.com" ];
-        };
-        
-        zhuo = {
-          displayName = "Zhuo";
-          mailAddresses = [ "13681104320@163.com" ];
-        };
-      };
-      systems.oauth2 = {
-        forgejo = {
-          displayName = "ForgeJo";
-          originUrl = "https://git.xinyang.life/";
-          originLanding = "	https://git.xinyang.life/user/oauth2/kandim";
-          allowInsecureClientDisablePkce = true;
-          scopeMaps = {
-            forgejo-access = [ "openid" "email" "profile" "groups" ];
-          };
-        };
-        gts = {
-          displayName = "GoToSocial";
-          originUrl = "https://xinyang.life/";
-          allowInsecureClientDisablePkce = true;
-          scopeMaps = {
-            gts-users = [ "openid" "email" "profile" "groups" ];
-          };
-        };
-        owncloud = {
-          displayName = "ownCloud";
-          originUrl = "https://home.xinyang.life:9201/";
-          public = true;
-          scopeMaps = {
-            ocis-users = [ "openid" "email" "profile" ];
-          };
-        };
-        hedgedoc = {
-          displayName = "HedgeDoc";
-          originUrl = "https://docs.xinyang.life/";
-          allowInsecureClientDisablePkce = true;
-          scopeMaps = {
-            hedgedoc-users = [ "openid" "email" "profile" ];
-          };
-        };
-        immich-mobile = {
-          displayName = "Immich";
-          originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
-          allowInsecureClientDisablePkce = true;
-          scopeMaps = {
-            immich-users = [ "openid" "email" "profile" ];
-          };
-        };
-      };
-    };
+    provision = import ./kanidm-provision.nix;
   };
   services.matrix-conduit = {
     enable = true;