diff --git a/nixos/profiles/common/opt-in/mihomo/config.yaml b/nixos/profiles/common/opt-in/mihomo/config.yaml
index 8ab93c8..8ac6f39 100644
--- a/nixos/profiles/common/opt-in/mihomo/config.yaml
+++ b/nixos/profiles/common/opt-in/mihomo/config.yaml
@@ -10,17 +10,18 @@ fetch: &fetch
 use: &use
   type: select
   use:
-    - flyairport
     - efcloud
-    - kogeki
+    - flyairport
     - spcloud
 
 use-backup: &use-backup
   type: select
   use:
-    - pawdroid
     - ermaozi
-    #- jsnzkpg
+    - jsnzkpg
+    - pawdroid
+
+convert: &convert "https://sub.maoxiongnet.com/sub?target=clash&list=true&url="
 
 port: 7890
 external-controller: 127.0.0.1:9090
@@ -29,6 +30,39 @@ unified-delay: true
 tcp-concurrent: true
 geodata-mode: true
 
+secret: "@clash/secret@"
+
+proxies:
+  # @clash/proxies/lightsail@
+
+proxy-providers:
+  efcloud:
+    <<: *fetch
+    url: "@clash/proxy-providers/efcloud@"
+  flyairport:
+    <<: *fetch
+    url: "@clash/proxy-providers/flyairport@"
+  spcloud:
+    <<: *fetch
+    url: "@clash/proxy-providers/spcloud@"
+
+  # Free servers that I dont really care about
+  ermaozi:
+    <<: *fetch
+    url: >
+      *convert
+      https://cdn.jsdelivr.net/gh/ermaozi/get_subscribe@main/subscribe/v2ray.txt
+  jsnzkpg:
+    <<: *fetch
+    url: >
+      *convert
+      https://cdn.jsdelivr.net/gh/Jsnzkpg/Jsnzkpg@Jsnzkpg/Jsnzkpg
+  pawdroid:
+    <<: *fetch
+    url: >
+      *convert
+      https://cdn.jsdelivr.net/gh/Pawdroid/Free-servers@main/sub
+
 proxy-groups:
   - {
       name: PROXY,
diff --git a/nixos/profiles/common/opt-in/mihomo/default.nix b/nixos/profiles/common/opt-in/mihomo/default.nix
index 445eef4..7e8249e 100644
--- a/nixos/profiles/common/opt-in/mihomo/default.nix
+++ b/nixos/profiles/common/opt-in/mihomo/default.nix
@@ -1,4 +1,5 @@
 {
+  lib,
   pkgs,
   config,
   ...
@@ -27,45 +28,23 @@
   sops.secrets = builtins.mapAttrs (_name: value: value // {restartUnits = ["mihomo.service"];}) {
     "clash/secret" = {};
     "clash/proxies/lightsail" = {};
-    "clash/proxy-providers/flyairport" = {};
     "clash/proxy-providers/efcloud" = {};
-    "clash/proxy-providers/kogeki" = {};
+    "clash/proxy-providers/flyairport" = {};
     "clash/proxy-providers/spcloud" = {};
   };
 
-  sops.templates."clash.yaml".content = let
-    convert = url: "https://sub.maoxiongnet.com/sub?target=clash&list=true&url=${url}";
-  in
-    builtins.readFile ./config.yaml
-    + ''
-      secret: "${config.sops.placeholder."clash/secret"}"
-
-      proxies:
-        ${config.sops.placeholder."clash/proxies/lightsail"}
-
-      proxy-providers:
-        flyairport:
-          <<: *fetch
-          url: "${config.sops.placeholder."clash/proxy-providers/flyairport"}"
-        efcloud:
-          <<: *fetch
-          url: "${config.sops.placeholder."clash/proxy-providers/efcloud"}"
-        kogeki:
-          <<: *fetch
-          url: "${config.sops.placeholder."clash/proxy-providers/kogeki"}"
-        spcloud:
-          <<: *fetch
-          url: "${config.sops.placeholder."clash/proxy-providers/spcloud"}"
-
-        # Free servers that I dont really care about
-        pawdroid:
-          <<: *fetch
-          url: "${convert "https://cdn.jsdelivr.net/gh/Pawdroid/Free-servers@main/sub"}"
-        ermaozi:
-          <<: *fetch
-          url: "${convert "https://cdn.jsdelivr.net/gh/ermaozi/get_subscribe@main/subscribe/v2ray.txt"}"
-        #jsnzkpg:
-        #  <<: *fetch
-        #  url: "${convert "https://cdn.jsdelivr.net/gh/Jsnzkpg/Jsnzkpg@Jsnzkpg/Jsnzkpg"}"
-    '';
+  # why not substituteAll? see https://github.com/NixOS/nixpkgs/issues/237216
+  sops.templates."clash.yaml".file = pkgs.substitute {
+    src = ./config.yaml;
+    replacements = let
+      inherit' = list: lib.flatten (map (attr: ["--subst-var-by" attr config.sops.placeholder.${attr}]) list);
+    in
+      inherit' [
+        "clash/secret"
+        "clash/proxies/lightsail"
+        "clash/proxy-providers/efcloud"
+        "clash/proxy-providers/flyairport"
+        "clash/proxy-providers/spcloud"
+      ];
+  };
 }
diff --git a/secrets.yaml b/secrets.yaml
index 230c821..5a65bab 100644
--- a/secrets.yaml
+++ b/secrets.yaml
@@ -6,11 +6,10 @@ wireless:
 clash:
     secret: ENC[AES256_GCM,data:eCq/pDlSOw==,iv:QGNKxqmkj9BWFBJGj/O4fUL8Ey8zGEHMsWX02DrM82U=,tag:z2vVCBSt6mw47ca2xoxg9A==,type:str]
     proxies:
-        lightsail: ENC[AES256_GCM,data:0lbXCE21o8FrQonV1AElDxGG+eTrFIabch/QnE0tZ5QoioDRstMs1oiXN/XQHJqQdHLY+blgyEyyBjJMc8rjRcGEgAy081xzlcD2VKDoXOBcnMgBNtMz1i8aG+DqfjadDWBt0v0KK2GgiZ9K+A8=,iv:wDo0S4XlFN6kRlApAIePYdJgGMwz/TJuxInZ8vGTUeQ=,tag:8oBxnC3qTQQ7ofGmNmi/Ew==,type:str]
+        lightsail: ENC[AES256_GCM,data:ik3GANdJuZuYkl2kUMiCu6rWhOBTgvYuDT0Xn+/pZwyBVRWtwPhfLY6Ptm0GXj77zzD0/5bgxPRCNJncQEH2NarkqE/DXlluKqlBjOThgRjtVQF+FCJ01Y6/tL0HsvgZse9hasNtrXJHy+PGDiZdcNDmr+piB53Pgt+jdw==,iv:X9+PZUjWlOl74VLXW++SVDd+9U1guglNABe/N/iyMLs=,tag:OYj5a6i9WhkyK5m2wllCmg==,type:str]
     proxy-providers:
         flyairport: ENC[AES256_GCM,data:akHdU/2o8D65sG2b/mcj76HASwhg3WvoEcrpgkXPyh7kuc+Ci42hmmmmBk9I29vuvZjTtCTs8mMzaLK1wm8TS/K1A1zeAGULxSsqhpV4cA19Q4vAtQ2+FyuGiaFszuaHK6BSlZAosfmCGoM1nZRYuOnsdeR0vnHBIHhJFNhaLw==,iv:VeVT3cEaOO/90gcqpm2yOacThbEyaXuBRhp4buX/XOY=,tag:kojJbqwYk/DNFBcJMY2eXg==,type:str]
         efcloud: ENC[AES256_GCM,data:GvKNMscPknhlBy9Qp8iuYoxF10oX2ZIOKo+XKRH2NOGGDiMk/GwdGfA5+gf3ZcEEGFGw/8CrBddjJCivyxqwF+oAEHJyjdcFhGyyOopsx9s3waq8Hge/KzE=,iv:WXAd3yA5cTZp+ttKHXPf6cbsk6pRXq5/xMysNUAs1Rk=,tag:HygexRSW8ICa+RIFmrRKRQ==,type:str]
-        kogeki: ENC[AES256_GCM,data:159GepC8UUm4FA7vRZO9RJ5DCPigt8RUsm78ibVjU8SHKTtMS6bHPA40S8l6V07VJmytRaXqWCIkiI7dXR64UvoRe+gMD2a0y8UgM4Pncf0IWpxhag==,iv:KBf4IPfof4bgs87udH+aXQ95K3F1Zuw5Ueh+b4AkQFg=,tag:F8TPR5kxIlmA+LG7kvz3HQ==,type:str]
         spcloud: ENC[AES256_GCM,data:Uz0SLmSxzV/hcsBuYtlsZ5G5E8wjzmHcFMGCyBrEewOr6gAdBQvC4njotYbMIdQAQRTgAE2wBukdSxXWCTrNph7uoVhskz1YkNjxnQVPUO5WfQ==,iv:TwHPdeATx+LanfhHeD7M5sSf3M2NLBWBAAaFTwgsK7A=,tag:9DMgcSoy4ksYl/dPWwA+dA==,type:str]
 sops:
     kms: []
@@ -54,8 +53,8 @@ sops:
             SC9YMFk4dUNOUDJYMXErck8yTmJmZmcKp66bHZTD6VitAOfzIr8VJr02+R9f5mxH
             c5n2CWurDsZsNTKk7pgxQo78ySyAG3rzvOqgK0NFesyHy9dRl8xHCQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-05-01T11:58:20Z"
-    mac: ENC[AES256_GCM,data:mlOkAorzLzSGFDhFlZ1Kx3AYWSeJGJbk8JFaidWIk1Bp5/4ttO4sFskfRl4SqXCcAcqvgGDhzit5x/i9cCzlrE004f0t4hsupxQOkZ8yZ5+8uT4Q4NFdPf+WPU6/LwG8qrv2i7qbjRb2bnTVKqzyjvrKjx2ZIScAlzWm87bAjuk=,iv:xshvSgZ1P+z6NwrrlouyO8lYL/4ohedKZmbkewS7w3k=,tag:AFBnvs55Ws8ShVFRie1Rew==,type:str]
+    lastmodified: "2024-06-16T02:17:41Z"
+    mac: ENC[AES256_GCM,data:JDCxFDk8NnXuFb1s0oTc5dMkZVCAoqlnUh9CzZajlXoGKetrEJQRZtxxr1yzWYl548eltEyRHzUl8idsjz6OdycmrX7hL0pHQHK0QxB4iIsiJAfBX6Sa8inkp2Os7HOgxRSC4QKKb3Ua32BG40KTL/eoVkCimaby4kUZqVQHLjU=,iv:dU4zAA54KUppdAlWB6/XU0fMuuF1QSpuqpdjp9ucmz4=,tag:AGAxLXs5M5ZMixXA3yVosw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1