Add grafana system & traefik dashboards

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

.gitmodules

@@ -4,6 +4,6 @@
 [submodule "sas"]
 	path = submodules/sas
 	url = git@karaolidis.com:karaolidis/nix-sas.git
-[submodule "submodules/lib"]
+[submodule "lib"]
 	path = submodules/lib
 	url = git@karaolidis.com:karaolidis/nix-lib.git

README.md

@@ -20,11 +20,12 @@ NixOS dotfiles and configuration for various hosts and users.
 
 - [`packages/`](./packages/): Custom packages.
 
-- [`scripts/`](./lib/scripts): Utility scripts for managing the repository.
+- [`scripts/`](./scripts): Utility scripts for managing the repository.
-  - [`add-host.sh`](./lib/scripts/add-host.sh): Instantiate the keys for a new host configuration.
+  - [`add-host.sh`](./scripts/add-host.sh): Instantiate the keys for a new host configuration.
-  - [`remove-host.sh`](./lib/scripts/remove-host.sh): Remove references to a host.
+  - [`remove-host.sh`](./scripts/remove-host.sh): Remove references to a host.
-  - [`update-keys.sh`](./lib/scripts/update-keys.sh): Update the encryption keys in all relevant files using `sops.yaml` configurations.
+  - [`update-keys.sh`](./scripts/update-keys.sh): Update the encryption keys in all relevant files using `sops.yaml` configurations.
-  - [`update.sh`](./lib/scripts/update.sh): Update flake and all packages.
+  - [`update.sh`](./scripts/update.sh): Update flake and all packages.
+  - [`cache.sh`](./scripts/cache.sh): Build all `nixosConfiguration`s and push them to `attic`.
 
 Any `options.nix` files create custom option definitions when present.
 

flake.lock

@@ -10,11 +10,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754932414,
+        "lastModified": 1756487002,
-        "narHash": "sha256-V8c+68Axn5AGDCaG9Zv+EqNU4D6xWPHNXLIapq6AGiM=",
+        "narHash": "sha256-hN9RfNXy53qAkT68T+IYZpl68uE1uPOVMkw0MqC43KA=",
         "owner": "aylur",
         "repo": "ags",
-        "rev": "9e6912b51d7bc58f35d10b11be1a126b926b56d3",
+        "rev": "8ff792dba6cc82eed10e760f551075564dd0a407",
         "type": "github"
       },
       "original": {
@@ -30,11 +30,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754893912,
+        "lastModified": 1756474652,
-        "narHash": "sha256-kzU/3A4k+d3PsgMLohzSh4KJybTqvzqibUVqV2yXCGY=",
+        "narHash": "sha256-iiBU6itpEqE0spXeNJ3uJTfioSyKYjt5bNepykpDXTE=",
         "owner": "aylur",
         "repo": "astal",
-        "rev": "5d4eef66392b0dff99a63a4f39ff886624bd69dd",
+        "rev": "20bd8318e4136fbd3d4eb2d64dbabc3acbc915dd",
         "type": "github"
       },
       "original": {
@@ -80,19 +80,17 @@
       }
     },
     "flake-compat": {
-      "flake": false,
       "locked": {
-        "lastModified": 1747046372,
+        "lastModified": 1733328505,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "owner": "edolstra",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "repo": "flake-compat",
+        "revCount": 69,
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "tarball",
-        "type": "github"
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
       },
       "original": {
-        "owner": "edolstra",
+        "type": "tarball",
-        "repo": "flake-compat",
+        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
-        "type": "github"
       }
     },
     "flake-input-patcher": {
@@ -185,11 +183,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755442500,
+        "lastModified": 1756579987,
-        "narHash": "sha256-RHK4H6SWzkAtW/5WBHsyugaXJX25yr5y7FAZznxcBJs=",
+        "narHash": "sha256-duCce8zGsaMsrqqOmLOsuaV1PVIw/vXWnKuLKZClsGg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d2ffdedfc39c591367b1ddf22b4ce107f029dcc3",
+        "rev": "99a69bdf8a3c6bf038c4121e9c4b6e99706a187a",
         "type": "github"
       },
       "original": {
@@ -201,7 +199,9 @@
     "lanzaboote": {
       "inputs": {
         "crane": "crane",
-        "flake-compat": "flake-compat",
+        "flake-compat": [
+          "flake-compat"
+        ],
         "flake-parts": [
           "flake-parts"
         ],
@@ -235,11 +235,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755449842,
+        "lastModified": 1755506074,
-        "narHash": "sha256-u9V4hAryxP626EQlkwrAesyKbFssX7ovGp2wcW5y528=",
+        "narHash": "sha256-SztuKbAPppW5grMJLSGO5rBCXEWCOfhb39cPDONEUfo=",
         "ref": "refs/heads/main",
-        "rev": "10930e85d60f2eba7509d1f3ab2e54e6a5c0698a",
+        "rev": "ac85b6f608ed88d424621ec30f3848d621383487",
-        "revCount": 5,
+        "revCount": 6,
         "type": "git",
         "url": "https://git.karaolidis.com/karaolidis/nix-lib.git"
       },
@@ -248,13 +248,52 @@
         "url": "https://git.karaolidis.com/karaolidis/nix-lib.git"
       }
     },
+    "mnw": {
+      "locked": {
+        "lastModified": 1748710831,
+        "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=",
+        "owner": "Gerg-L",
+        "repo": "mnw",
+        "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Gerg-L",
+        "repo": "mnw",
+        "type": "github"
+      }
+    },
+    "nixos-wsl": {
+      "inputs": {
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1755774185,
+        "narHash": "sha256-XjKqiTA19mkoBkja0VOy90qp2gC1f2fGgsLb9m1lg5Q=",
+        "owner": "karaolidis",
+        "repo": "NixOS-WSL",
+        "rev": "b1f426697f62006b99fac0cc25a106626c78f874",
+        "type": "github"
+      },
+      "original": {
+        "owner": "karaolidis",
+        "ref": "extra-files",
+        "repo": "NixOS-WSL",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1755186698,
+        "lastModified": 1756542300,
-        "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",
+        "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",
+        "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa",
         "type": "github"
       },
       "original": {
@@ -289,11 +328,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755452770,
+        "lastModified": 1756630008,
-        "narHash": "sha256-oc8xrqvVIoDxbfTlbkE1XQ7O88TgNZn5FOZKLiuIEmg=",
+        "narHash": "sha256-weZiVKbiWQzTifm6qCxzhxghEu5mbh9mWNUdkzOLCR0=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "eab62298402c7cdfdefda647a4046befa3a84051",
+        "rev": "f6a5a7b60dd6065e78ef06390767e689ffa3c23f",
         "type": "github"
       },
       "original": {
@@ -302,6 +341,36 @@
         "type": "github"
       }
     },
+    "nvf": {
+      "inputs": {
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "mnw": "mnw",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": [
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1755463179,
+        "narHash": "sha256-5Ggb1Mhf7ZlRgGi2puCa2PvWs6KbMnWBlW6KW7Vf79Y=",
+        "owner": "NotAShelf",
+        "repo": "nvf",
+        "rev": "03833118267ad32226b014b360692bdce9d6e082",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NotAShelf",
+        "repo": "nvf",
+        "type": "github"
+      }
+    },
     "nvidia-patch": {
       "inputs": {
         "nixpkgs": [
@@ -312,11 +381,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755069017,
+        "lastModified": 1756052001,
-        "narHash": "sha256-cTD5WfZRK2mwrSktlYcrk6DOEEkQbE1z78O16TF293c=",
+        "narHash": "sha256-dlLqyHxqiFAoIwshKe9X3PzXcJ+up88Qb2JVQswFaNE=",
         "owner": "icewind1991",
         "repo": "nvidia-patch-nixos",
-        "rev": "d187885c14bdd8520d40f527134d536168f8d92b",
+        "rev": "780af7357d942fad2ddd9f325615a5f6ea7e37ee",
         "type": "github"
       },
       "original": {
@@ -371,14 +440,17 @@
         "ags": "ags",
         "astal": "astal",
         "disko": "disko",
+        "flake-compat": "flake-compat",
         "flake-input-patcher": "flake-input-patcher",
         "flake-parts": "flake-parts",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
         "lanzaboote": "lanzaboote",
         "lib": "lib",
+        "nixos-wsl": "nixos-wsl",
         "nixpkgs": "nixpkgs",
         "nur": "nur",
+        "nvf": "nvf",
         "nvidia-patch": "nvidia-patch",
         "quadlet-nix": "quadlet-nix",
         "sas": "sas",
@@ -423,11 +495,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755453501,
+        "lastModified": 1755532656,
-        "narHash": "sha256-kdcefjI7uX/B8z0A2ZQ7yH0FHKJxJP0GS5A5XdWU5M8=",
+        "narHash": "sha256-xYb5dJej3emyr4oWWAhkMP8rPc3kdVOXGZcIbAx1Y/I=",
         "ref": "refs/heads/main",
-        "rev": "2c6c3f6761dde7ec19ae1a1432fd7b83a97ac911",
+        "rev": "b01f3f8456903cb1bde9637cc23b456b47354138",
-        "revCount": 9,
+        "revCount": 11,
         "type": "git",
         "url": "ssh://git@karaolidis.com/karaolidis/nix-sas.git"
       },
@@ -439,11 +511,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1755454846,
+        "lastModified": 1756900832,
-        "narHash": "sha256-tbI+AcQGvtucMKKr+VHM53ZI6upPBjD9kR5PCyF4K60=",
+        "narHash": "sha256-sMne4dvYzcdbDVcMPY6NLVHiZbgjtDrxttKG0Vig8WQ=",
         "ref": "refs/heads/main",
-        "rev": "c1a835c4f9ba9915671c79b3241f4d4863f11323",
+        "rev": "adac63f6daffb4e14ce0fb94e93eb987e2460064",
-        "revCount": 33,
+        "revCount": 38,
         "type": "git",
         "url": "ssh://git@karaolidis.com/karaolidis/nix-secrets.git"
       },
@@ -482,11 +554,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755405549,
+        "lastModified": 1756614537,
-        "narHash": "sha256-0vJD6WhL1jfXbnpH6r8yr1RgzB8mGFWIWokKHaJMJ/4=",
+        "narHash": "sha256-qyszmZO9CEKAlj5NBQo1AIIADm5Fgqs5ZggW1sU1TVo=",
         "owner": "Gerg-L",
         "repo": "spicetify-nix",
-        "rev": "df1f5d4c0633040937358755defff9f07e9c0a73",
+        "rev": "374eb5d97092b97f7aaafd58a2012943b388c0df",
         "type": "github"
       },
       "original": {
@@ -517,11 +589,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754847726,
+        "lastModified": 1755934250,
-        "narHash": "sha256-2vX8QjO5lRsDbNYvN9hVHXLU6oMl+V/PsmIiJREG4rE=",
+        "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "7d81f6fb2e19bf84f1c65135d1060d829fae2408",
+        "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,5 +1,6 @@
 {
   inputs = {
+    # Configuration
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
 
     home-manager = {
@@ -7,49 +8,7 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    disko = {
+    # Packages
-      url = "github:nix-community/disko/latest";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    sops-nix = {
-      url = "github:Mic92/sops-nix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    lanzaboote = {
-      url = "github:nix-community/lanzaboote";
-      inputs = {
-        nixpkgs.follows = "nixpkgs";
-        flake-parts.follows = "flake-parts";
-      };
-    };
-
-    # FIXME: https://github.com/NixOS/nix/issues/12281
-    lib = {
-      url = "git+https://git.karaolidis.com/karaolidis/nix-lib.git";
-      inputs = {
-        nixpkgs.follows = "nixpkgs";
-        treefmt-nix.follows = "treefmt-nix";
-      };
-    };
-
-    # FIXME: https://github.com/NixOS/nix/issues/12281
-    sas = {
-      url = "git+ssh://git@karaolidis.com/karaolidis/nix-sas.git";
-      inputs = {
-        nixpkgs.follows = "nixpkgs";
-        lib.follows = "lib";
-        treefmt-nix.follows = "treefmt-nix";
-      };
-    };
-
-    # FIXME: https://github.com/NixOS/nix/issues/12281
-    secrets = {
-      url = "git+ssh://git@karaolidis.com/karaolidis/nix-secrets.git";
-      flake = false;
-    };
-
     nur = {
       url = "github:nix-community/NUR";
       inputs = {
@@ -58,6 +17,12 @@
       };
     };
 
+    # DevOps
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     treefmt-nix = {
       url = "github:numtide/treefmt-nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -71,6 +36,66 @@
       };
     };
 
+    # Personal
+    lib = {
+      # FIXME: https://github.com/NixOS/nix/issues/12281
+      url = "git+https://git.karaolidis.com/karaolidis/nix-lib.git";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        treefmt-nix.follows = "treefmt-nix";
+      };
+    };
+
+    sas = {
+      # FIXME: https://github.com/NixOS/nix/issues/12281
+      url = "git+ssh://git@karaolidis.com/karaolidis/nix-sas.git";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        lib.follows = "lib";
+        treefmt-nix.follows = "treefmt-nix";
+      };
+    };
+
+    secrets = {
+      # FIXME: https://github.com/NixOS/nix/issues/12281
+      url = "git+ssh://git@karaolidis.com/karaolidis/nix-secrets.git";
+      flake = false;
+    };
+
+    # Hardware
+    disko = {
+      url = "github:nix-community/disko/latest";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-compat.follows = "flake-compat";
+        flake-parts.follows = "flake-parts";
+      };
+    };
+
+    nixos-wsl = {
+      url = "github:karaolidis/NixOS-WSL/extra-files";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-compat.follows = "flake-compat";
+      };
+    };
+
+    # Applications
+    nvf = {
+      url = "github:NotAShelf/nvf";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-compat.follows = "flake-compat";
+        flake-parts.follows = "flake-parts";
+        systems.follows = "systems";
+      };
+    };
+
     quadlet-nix.url = "github:SEIAROTg/quadlet-nix";
 
     nvidia-patch = {
@@ -102,6 +127,7 @@
       };
     };
 
+    # Transitive Dependencies
     systems.url = "github:nix-systems/default";
 
     flake-parts.url = "github:hercules-ci/flake-parts";
@@ -110,6 +136,8 @@
       url = "github:numtide/flake-utils";
       inputs.systems.follows = "systems";
     };
+
+    flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
   };
 
   outputs =
@@ -119,8 +147,9 @@
         system:
         let
           patcher = unpatchedInputs.flake-input-patcher.lib.${system};
+          patches = import ./patches.nix { inherit patcher; };
         in
-        patcher.patch unpatchedInputs (import ./patches.nix { inherit patcher; });
+        if patches != { } then patcher.patch unpatchedInputs patches else unpatchedInputs;
 
       mkNixosConfiguration =
         inputs: system: modules:

hosts/common/configs/system/cloudflared/default.nix

@@ -1,5 +0,0 @@
-{ ... }:
-{
-  # https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/
-  services.cloudflared.enable = true;
-}

hosts/common/configs/system/dnsmasq/default.nix

@@ -1,22 +0,0 @@
-{ lib, pkgs, ... }:
-{
-  networking.networkmanager.dns = "dnsmasq";
-
-  environment.etc."NetworkManager/dnsmasq.d/10-bind-interfaces.conf".source =
-    (pkgs.formats.keyValue {
-      mkKeyValue =
-        name: value:
-        if value == true then
-          name
-        else if value == false then
-          ""
-        else
-          lib.generators.mkKeyValueDefault { } "=" name value;
-      listsAsDuplicateKeys = true;
-    }).generate
-      "10-bind-interfaces.conf"
-      {
-        bind-interfaces = true;
-        listen-address = [ "127.0.0.1" ];
-      };
-}

hosts/common/configs/system/gpg-agent/default.nix

@@ -1,4 +0,0 @@
-{ ... }:
-{
-  programs.gnupg.agent.enable = true;
-}

hosts/common/configs/system/libvirt/default.nix

@@ -1,9 +1,4 @@
-{
+{ config, pkgs, ... }:
-  config,
-  lib,
-  pkgs,
-  ...
-}:
 {
   virtualisation = {
     libvirtd = {

hosts/common/configs/system/nix-install/install.completion.zsh

@@ -18,8 +18,8 @@ _nix-install_completion() {
 
   _list_keys() {
     local flake="$(realpath ${words[2]})"
-    if [[ -d "$flake/secrets" ]]; then
+    if [[ -d "$flake/submodules/secrets/domains" ]]; then
-      find "$flake/secrets" -type f -name 'key.txt' | sed -E 's|^.*/secrets/([^/]+)/key.txt$|\1|' | sort -u
+      find "$flake/submodules/secrets/domains" -type f -name 'key.txt' | sed -E 's|^.*/submodules/secrets/domains/([^/]+)/key.txt$|\1|' | sort -u
     fi
   }
 

hosts/common/configs/system/nix-install/install.sh

@@ -43,17 +43,17 @@ check_host() {
 }
 
 check_key() {
-  if [[ -n "$key" ]] && [[ ! -f "$flake/secrets/$key/key.txt" ]]; then
+  if [[ -n "$key" ]] && [[ ! -f "$flake/submodules/secrets/domains/$key/key.txt" ]]; then
     echo "Key '$key' not found."
     exit 1
   fi
 }
 
 set_password_file() {
-  SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
+  SOPS_AGE_KEY_FILE="$flake/submodules/secrets/domains/$key/key.txt"
   export SOPS_AGE_KEY_FILE
   install -m 600 /dev/null /tmp/keyfile
-  sops --decrypt --extract "['luks']" "$flake/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
+  sops --decrypt --extract "['luks']" "$flake/submodules/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
   unset SOPS_AGE_KEY_FILE
 }
 
@@ -66,7 +66,7 @@ prepare_disk() {
 
 copy_sops_keys() {
   mkdir -p "$root/persist/state/etc/ssh"
-  cp -f "$flake/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
+  cp -f "$flake/submodules/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
 
   for path in "$flake/hosts/$host/users"/*; do
     if [[ -z "$key" ]]; then
@@ -77,7 +77,7 @@ copy_sops_keys() {
     user=$(basename "$path")
 
     mkdir -p "$root/persist/state/home/$user/.config/sops-nix"
-    cp -f "$flake/secrets/$key/key.txt" "$root/persist/state/home/$user/.config/sops-nix/key.txt"
+    cp -f "$flake/submodules/secrets/domains/$key/key.txt" "$root/persist/state/home/$user/.config/sops-nix/key.txt"
 
     owner=$(cat "$flake/hosts/$host/users/$user/uid")
     group=100
@@ -92,16 +92,16 @@ copy_sops_keys() {
 copy_secure_boot_keys() {
   mkdir -p "$root/persist/state/var/lib/sbctl/keys"/{db,KEK,PK}
 
-  SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
+  SOPS_AGE_KEY_FILE="$flake/submodules/secrets/domains/$key/key.txt"
   export SOPS_AGE_KEY_FILE
 
-  sops --decrypt --extract "['guid']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID"
+  sops --decrypt --extract "['guid']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID"
-  sops --decrypt --extract "['keys']['kek']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key"
+  sops --decrypt --extract "['keys']['kek']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key"
-  sops --decrypt --extract "['keys']['kek']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem"
+  sops --decrypt --extract "['keys']['kek']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem"
-  sops --decrypt --extract "['keys']['pk']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key"
+  sops --decrypt --extract "['keys']['pk']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key"
-  sops --decrypt --extract "['keys']['pk']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem"
+  sops --decrypt --extract "['keys']['pk']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem"
-  sops --decrypt --extract "['keys']['db']['key']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key"
+  sops --decrypt --extract "['keys']['db']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key"
-  sops --decrypt --extract "['keys']['db']['pem']" "$flake/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem"
+  sops --decrypt --extract "['keys']['db']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem"
 
   chmod 400 "$root/persist/state/var/lib/sbctl/keys"/*/*
 

hosts/common/configs/system/nix/default.nix

@@ -1,29 +1,51 @@
-{ config, inputs, ... }:
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
 {
   sops = {
     secrets = {
-      "git/credentials/github.com/public/username".sopsFile =
+      "git/credentials/github.com/tokens/public".sopsFile =
-        "${inputs.secrets}/domains/personal/secrets.yaml";
-      "git/credentials/github.com/public/password".sopsFile =
         "${inputs.secrets}/domains/personal/secrets.yaml";
+
+      "nix/cache/nix.karaolidis.com".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
     };
 
-    templates.nix-access-tokens = {
+    templates = {
-      content = ''
+      nix-access-tokens = {
-        access-tokens = github.com=${config.sops.placeholder."git/credentials/github.com/public/password"}
+        content = ''
-      '';
+          access-tokens = github.com=${config.sops.placeholder."git/credentials/github.com/tokens/public"}
-      group = "users";
+        '';
+        group = "users";
+        mode = "0440";
+      };
+
+      nix-netrc = {
+        content = ''
+          machine nix.karaolidis.com
+          password ${config.sops.placeholder."nix/cache/nix.karaolidis.com"}
+        '';
+        group = "users";
+        mode = "0440";
+      };
     };
   };
 
   nix = {
     settings = {
+      trusted-users = lib.mkAfter [ "@wheel" ];
       use-xdg-base-directories = true;
       experimental-features = [
         "nix-command"
         "flakes"
       ];
       download-buffer-size = 524288000;
+      substituters = lib.mkBefore [ "https://nix.karaolidis.com/main" ];
+      trusted-substituters = config.nix.settings.substituters;
+      trusted-public-keys = lib.mkBefore [ "main:nJVRBnv73MDkwuV5sgm52m4E2ImOhWHvY12qzjPegAk=" ];
+      netrc-file = config.sops.templates.nix-netrc.path;
     };
 
     channel.enable = false;

hosts/common/configs/system/ssh/default.nix

@@ -12,7 +12,7 @@
 
     jupiter-sish = {
       publicKeyFile = "${inputs.secrets}/hosts/jupiter/ssh_sish_ed25519_key.pub";
-      extraHostNames = [ "karaolidis.com" ];
+      extraHostNames = [ "tunnel.karaolidis.com" ];
     };
 
     jupiter-vps = {

hosts/common/configs/system/sshd/default.nix

@@ -1,9 +1,6 @@
 { pkgs, ... }:
 {
-  environment.systemPackages = with pkgs; [
+  environment.systemPackages = with pkgs; [ kitty.terminfo ];
-    kitty.terminfo
-    tmux.terminfo
-  ];
 
   services.openssh = {
     enable = true;

hosts/common/configs/system/tmux/default.nix

@@ -1,10 +0,0 @@
-{ ... }:
-{
-  programs.tmux = {
-    enable = true;
-    clock24 = true;
-    historyLimit = 10000;
-    keyMode = "vi";
-    newSession = true;
-  };
-}

hosts/common/configs/user/console/attic/default.nix

@@ -0,0 +1,33 @@
+{ user, home }:
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
+let
+  hmConfig = config.home-manager.users.${user};
+in
+{
+  home-manager.users.${user} = {
+    sops = {
+      secrets."nix/cache/nix.karaolidis.com".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+      templates."attic" = {
+        content = builtins.readFile (
+          (pkgs.formats.toml { }).generate "config.toml" {
+            default-server = "main";
+
+            servers."main" = {
+              endpoint = "https://nix.karaolidis.com/";
+              token = hmConfig.sops.placeholder."nix/cache/nix.karaolidis.com";
+            };
+          }
+        );
+        path = "${home}/.config/attic/config.toml";
+      };
+    };
+
+    home.packages = with pkgs; [ attic-client ];
+  };
+}

hosts/common/configs/user/console/btop/default.nix

@@ -1,17 +1,34 @@
 { user, home }:
-{ ... }:
+{ lib, pkgs, ... }:
 {
-  home-manager.users.${user}.programs.btop = {
+  home-manager.users.${user} = {
-    enable = true;
+    programs.btop = {
-    settings = {
+      enable = true;
-      theme_background = false;
+      settings = {
-      presets = "";
+        color_theme = "matugen";
-      vim_keys = true;
+        theme_background = false;
-      shown_boxes = "cpu mem net proc gpu0 gpu1";
+        presets = "";
-      update_ms = 1000;
+        vim_keys = true;
-      proc_tree = true;
+        shown_boxes = "cpu mem net proc gpu0 gpu1";
-      cpu_single_graph = true;
+        update_ms = 1000;
-      disks_filter = "/ /nix /persist";
+        proc_tree = true;
+        cpu_single_graph = true;
+        disks_filter = "/ /nix /persist";
+      };
+    };
+
+    theme = {
+      template.".config/btop/themes/matugen.theme".source = ./theme.theme;
+
+      reloadExtraConfig = "${
+        lib.meta.getExe (
+          pkgs.writeShellApplication {
+            name = "reload-btop";
+            runtimeInputs = with pkgs; [ procps ];
+            text = "exec pkill btop -SIGUSR2";
+          }
+        )
+      } &";
     };
   };
 }

hosts/common/configs/user/console/git/default.nix

@@ -41,5 +41,41 @@ in
         );
       };
     };
+
+    home = {
+      packages = with pkgs; [
+        (pkgs.writeShellApplication {
+          name = "gh";
+          runtimeInputs = with pkgs; [ gh ];
+          text = builtins.readFile ./gh.sh;
+        })
+        (pkgs.writeShellApplication {
+          name = "glab";
+          runtimeInputs = with pkgs; [ glab ];
+          text = builtins.readFile ./glab.sh;
+        })
+        (pkgs.writeShellApplication {
+          name = "tea";
+          runtimeInputs = with pkgs; [ tea ];
+          text = builtins.readFile ./tea.sh;
+        })
+      ];
+
+      sessionVariables = {
+        GITEA_HOST = "git.karaolidis.com";
+        GITEA_SSH_HOST = "karaolidis.com";
+      };
+    };
+
+    xdg.configFile = {
+      "gh/config.yml".source = (pkgs.formats.yaml { }).generate "config.yml" {
+        version = 1;
+        git_protocol = "ssh";
+      };
+
+      "glab-cli/config.yml".source = (pkgs.formats.yaml { }).generate "config.yml" {
+        git_protocol = "ssh";
+      };
+    };
   };
 }

hosts/common/configs/user/console/git/gh.sh

@@ -0,0 +1,8 @@
+# shellcheck shell=bash
+
+GH_HOST="${GH_HOST:-github.com}"
+
+GH_TOKEN=$(sed -n "s#https://[^:]*:\([^@]*\)@${GH_HOST}#\1#p" "$HOME/.config/git/credentials")
+export GH_TOKEN
+
+exec gh "$@"

hosts/common/configs/user/console/git/glab.sh

@@ -0,0 +1,8 @@
+# shellcheck shell=bash
+
+GITLAB_HOST="${GITLAB_HOST:-gitlab.com}"
+
+GITLAB_TOKEN=$(sed -n "s#https://[^:]*:\([^@]*\)@${GITLAB_HOST}#\1#p" "$HOME/.config/git/credentials")
+export GITLAB_TOKEN
+
+exec glab "$@"

hosts/common/configs/user/console/git/tea.sh

@@ -0,0 +1,13 @@
+# shellcheck shell=bash
+
+GITEA_HOST="${GITEA_HOST:-gitea.com}"
+GITEA_SSH_HOST="${GITEA_SSH_HOST:-gitea.com}"
+
+GITEA_TOKEN=$(sed -n "s#https://[^:]*:\([^@]*\)@${GITEA_HOST}#\1#p" "$HOME/.config/git/credentials")
+GITEA_INSTANCE_URL="https://${GITEA_HOST}"
+GITEA_INSTANCE_SSH_HOST="$GITEA_SSH_HOST"
+export GITEA_TOKEN
+export GITEA_INSTANCE_URL
+export GITEA_INSTANCE_SSH_HOST
+
+exec tea "$@"

hosts/common/configs/user/console/gpg-agent/default.nix

@@ -20,6 +20,10 @@
       enable = true;
       defaultCacheTtl = 31536000;
       maxCacheTtl = 31536000;
+      pinentry = {
+        package = pkgs.pinentry-all;
+        program = "pinentry-tty";
+      };
     };
 
     systemd.user = {

hosts/common/configs/user/console/home-manager/default.nix

@@ -1,5 +1,10 @@
 { user, home }:
-{ config, inputs, ... }:
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
 {
   imports = [ inputs.home-manager.nixosModules.default ];
 
@@ -15,10 +20,17 @@
       home.stateVersion = "24.11";
       systemd.user.startServices = true;
 
-      nix.settings.experimental-features = [
+      nix.settings = {
-        "nix-command"
+        inherit (config.nix.settings)
-        "flakes"
+          use-xdg-base-directories
-      ];
+          experimental-features
+          download-buffer-size
+          substituters
+          trusted-substituters
+          trusted-public-keys
+          netrc-file
+          ;
+      };
     };
   };
 }

hosts/common/configs/user/console/neovim/default.nix

@@ -1,22 +1,299 @@
 { user, home }:
-{ ... }:
 {
-  home-manager.users.${user}.programs = {
+  inputs,
-    neovim = {
+  lib,
-      enable = true;
+  pkgs,
-      defaultEditor = true;
+  ...
-      viAlias = true;
+}:
-      vimAlias = true;
+{
-      vimdiffAlias = true;
+  environment.persistence = {
-      extraConfig = ''
+    "/persist/state"."${home}/.local/share/nvf" = { };
-        set tabstop=2
+    "/persist/cache"."${home}/.cache/nvf" = { };
-        set shiftwidth=2
+  };
-        set expandtab
-        set smartindent
-        set mouse=
-      '';
-    };
 
-    zsh.p10k.extraRightPromptElements = [ "vim_shell" ];
+  home-manager.users.${user} = {
+    imports = [ inputs.nvf.homeManagerModules.default ];
+
+    programs = {
+      nvf = {
+        enable = true;
+        defaultEditor = true;
+
+        settings = {
+          vim = {
+            enableLuaLoader = true;
+
+            viAlias = true;
+            vimAlias = true;
+
+            autocomplete = {
+              blink-cmp.enable = true;
+            };
+
+            binds = {
+              # hardtime-nvim.enable = true;
+              whichKey.enable = true;
+            };
+
+            clipboard = {
+              enable = true;
+              providers.wl-copy.enable = true;
+              registers = "unnamedplus";
+            };
+
+            comments = {
+              comment-nvim.enable = true;
+            };
+
+            # dashboard = {
+            #   alpha.enable = true;
+            # };
+
+            filetree = {
+              neo-tree = {
+                enable = true;
+                setupOpts = {
+                  git_status_async = true;
+
+                  window.mappings = lib.generators.mkLuaInline ''
+                    {
+                      ["<space>"] = "noop",
+                    }
+                  '';
+                };
+              };
+            };
+
+            # formatter = {
+            #   conform-nvim.enable = true;
+            # };
+
+            git = {
+              enable = true;
+              # git-conflict.enable = true;
+              gitsigns.enable = true;
+              # neogit.enable = true;
+            };
+
+            languages = {
+              enableDAP = true;
+              enableFormat = true;
+              enableTreesitter = true;
+              enableExtraDiagnostics = true;
+
+              assembly.enable = true;
+              bash.enable = true;
+              clang.enable = true;
+              csharp.enable = true;
+              css.enable = true;
+              go.enable = true;
+              html.enable = true;
+              java.enable = true;
+              lua.enable = true;
+              markdown.enable = true;
+              nix = {
+                enable = true;
+                format.type = "nixfmt";
+                lsp.options.nil = {
+                  nix = {
+                    maxMemoryMB = null;
+                    flake = {
+                      autoArchive = true;
+                      autoEvalInputs = true;
+                    };
+                  };
+                };
+              };
+              php.enable = true;
+              python.enable = true;
+              rust.enable = true;
+              sql.enable = true;
+              svelte.enable = true;
+              ts.enable = true;
+              yaml.enable = true;
+            };
+
+            lsp = {
+              enable = true;
+              formatOnSave = true;
+              # nvim-docs-view.enable = true;
+              # otter-nvim.enable = true;
+              # trouble.enable = true;
+            };
+
+            # minimap = {
+            #   codewindow.enable = true;
+            # };
+
+            notify = {
+              nvim-notify.enable = true;
+            };
+
+            options = {
+              tabstop = 2;
+              shiftwidth = 2;
+              expandtab = true;
+              smartindent = true;
+            };
+
+            # projects = {
+            #   project-nvim.enable = true;
+            # };
+
+            searchCase = "smart";
+
+            # snippets = {
+            #   luasnip.enable = true;
+            # };
+
+            tabline = {
+              nvimBufferline = {
+                enable = true;
+                mappings.closeCurrent = "<leader>bd";
+                setupOpts.options = {
+                  indicator.style = "icon";
+                  show_close_icon = false;
+                  show_buffer_close_icons = false;
+                };
+              };
+            };
+
+            telescope = {
+              enable = true;
+              setupOpts.defaults.file_ignore_patterns = [
+                "node_modules"
+                "%.venv/"
+                "%.git/"
+                "dist/"
+                "build/"
+                "target/"
+                "result/"
+              ];
+            };
+
+            terminal = {
+              toggleterm = {
+                enable = true;
+                setupOpts.winbar.enabled = false;
+              };
+            };
+
+            treesitter = {
+              enable = true;
+              context.enable = true;
+              fold = true;
+              textobjects.enable = true;
+            };
+
+            ui = {
+              # breadcrumbs = {
+              #   enable = true;
+              #   navbuddy.enable = true;
+              # };
+              colorizer.enable = true;
+              # fastaction.enable = true;
+              # illuminate.enable = true;
+            };
+
+            undoFile.enable = true;
+
+            utility = {
+              # diffview-nvim.enable = true;
+              # icon-picker.enable = true;
+              # images = {
+              #   img-clip.enable = true;
+              # };
+              # mkdir.enable = true;
+              motion = {
+                precognition.enable = true;
+              };
+              # nvim-biscuits.enable = true;
+              # smart-splits.enable = true;
+              surround.enable = true;
+              # undotree.enable = true;
+              # yazi-nvim.enable = true;
+            };
+
+            visuals = {
+              # cinnamon-nvim.enable = true;
+              # fidget-nvim.enable = true;
+              # highlight-undo.enable = true;
+              indent-blankline.enable = true;
+              nvim-cursorline.enable = true;
+              # nvim-scrollbar.enable = true;
+              nvim-web-devicons.enable = true;
+            };
+
+            keymaps = [
+              {
+                mode = [ "n" ];
+                key = "<C-b>";
+                action = "<C-b>zz";
+                silent = true;
+                noremap = true;
+                desc = "Page up and center";
+              }
+              {
+                mode = [ "n" ];
+                key = "<C-u>";
+                action = "<C-u>zz";
+                silent = true;
+                noremap = true;
+                desc = "Half-page up and center";
+              }
+              {
+                mode = [ "n" ];
+                key = "<C-d>";
+                action = "<C-d>zz";
+                silent = true;
+                noremap = true;
+                desc = "Half-page down and center";
+              }
+              {
+                mode = [ "n" ];
+                key = "<C-f>";
+                action = "<C-f>zz";
+                silent = true;
+                noremap = true;
+                desc = "Page down and center";
+              }
+              {
+                mode = [ "n" ];
+                key = "<leader>ww";
+                action = "<cmd>w<CR>";
+                silent = true;
+                desc = "Save";
+              }
+              {
+                mode = [ "n" ];
+                key = "<leader>wq";
+                action = "<cmd>wq<CR>";
+                silent = true;
+                desc = "Save & Quit";
+              }
+              {
+                mode = [ "n" ];
+                key = "<leader>ee";
+                action = "<cmd>Neotree toggle<CR>";
+                silent = true;
+                desc = "Toggle Neo-tree";
+              }
+              {
+                mode = [ "n" ];
+                key = "<leader>ef";
+                action = "<cmd>Neotree reveal<CR>";
+                silent = true;
+                desc = "Reveal file in Neo-tree";
+              }
+            ];
+          };
+        };
+      };
+
+      zsh = {
+        p10k.extraRightPromptElements = [ "vim_shell" ];
+        shellAliases.v = "nvim";
+      };
+    };
   };
 }

hosts/common/configs/user/console/sops/default.nix

@@ -3,12 +3,18 @@
 {
   environment.persistence."/persist/state"."${home}/.config/sops-nix/key.txt" = { };
 
-  home-manager.users.${user} = {
+  home-manager.users.${user} =
-    imports = [ inputs.sops-nix.homeManagerModules.sops ];
+    let
+      sopsKeyFile =
+        if config.environment.impermanence.enable then
+          config.environment.persistence."/persist/state"."${home}/.config/sops-nix/key.txt".source
+        else
+          "${home}/.config/sops-nix/key.txt";
+    in
+    {
+      imports = [ inputs.sops-nix.homeManagerModules.sops ];
 
-    sops.age.keyFile =
+      sops.age.keyFile = sopsKeyFile;
-      config.environment.persistence."/persist/state"."${home}/.config/sops-nix/key.txt".source;
+      home.sessionVariables.SOPS_AGE_KEY_FILE = sopsKeyFile;
-    home.sessionVariables.SOPS_AGE_KEY_FILE =
+    };
-      config.environment.persistence."/persist/state"."${home}/.config/sops-nix/key.txt".source;
-  };
 }

hosts/common/configs/user/console/ssh-agent/default.nix

@@ -3,6 +3,6 @@
 {
   home-manager.users.${user} = {
     services.ssh-agent.enable = true;
-    programs.ssh.addKeysToAgent = "yes";
+    programs.ssh.matchBlocks."*".addKeysToAgent = "yes";
   };
 }

hosts/common/configs/user/console/ssh/default.nix

@@ -1,5 +1,9 @@
 { user, home }:
 { ... }:
 {
-  home-manager.users.${user}.programs.ssh.enable = true;
+  home-manager.users.${user}.programs.ssh = {
+    enable = true;
+    enableDefaultConfig = false;
+    matchBlocks."*".identitiesOnly = true;
+  };
 }

hosts/common/configs/user/console/syncthing/default.nix

@@ -14,11 +14,13 @@
     "syncthing/key" = {
       owner = user;
       group = "users";
+      mode = "0440";
     };
     # openssl req -new -x509 -key key.pem -out cert.pem -days 9999 -subj "/CN=syncthing"
     "syncthing/cert" = {
       owner = user;
       group = "users";
+      mode = "0440";
     };
   };
 

hosts/common/configs/user/console/tmux/default.nix

@@ -1,5 +0,0 @@
-{ user, home }:
-{ ... }:
-{
-  home-manager.users.${user}.programs.tmux.enable = true;
-}

hosts/common/configs/user/console/yazi/default.nix

@@ -23,7 +23,7 @@ in
           opener = {
             edit = [
               {
-                run = "${hmConfig.programs.neovim.finalPackage}/bin/nvim \"$@\"";
+                run = "${hmConfig.programs.nvf.finalPackage}/bin/nvim \"$@\"";
                 desc = "nvim";
                 block = true;
               }

hosts/common/configs/user/console/zellij/default.nix

@@ -0,0 +1,26 @@
+{ user, home }:
+{ ... }:
+{
+  home-manager.users.${user} = {
+    programs.zellij = {
+      enable = true;
+
+      settings = {
+        theme = "matugen";
+
+        pane_frames = false;
+        copy_command = "wl-copy";
+
+        ui.pane_frames.hide_session_name = true;
+
+        pane_viewport_serialization = true;
+        scrollback_lines_to_serialize = 0;
+
+        show_startup_tips = false;
+        show_release_notes = false;
+      };
+    };
+
+    theme.template.".config/zellij/themes/matugen.kdl".source = ./theme.kdl;
+  };
+}

hosts/common/configs/user/console/zellij/theme.kdl

@@ -0,0 +1,128 @@
+themes {
+    matugen {
+        text_unselected {
+            base {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_1 {{colors.secondary.default.red}} {{colors.secondary.default.green}} {{colors.secondary.default.blue}}
+            emphasis_2 {{colors.tertiary.default.red}} {{colors.tertiary.default.green}} {{colors.tertiary.default.blue}}
+            emphasis_3 {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+        }
+        text_selected {
+            base {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            background {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_0 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_1 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_2 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_3 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+        }
+        ribbon_unselected {
+            base {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+            background {{colors.surface_container.default.red}} {{colors.surface_container.default.green}} {{colors.surface_container.default.blue}}
+            emphasis_0 {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_1 {{colors.secondary.default.red}} {{colors.secondary.default.green}} {{colors.secondary.default.blue}}
+            emphasis_2 {{colors.tertiary.default.red}} {{colors.tertiary.default.green}} {{colors.tertiary.default.blue}}
+            emphasis_3 {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+        }
+        ribbon_selected {
+            base {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            background {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_0 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_1 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_2 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_3 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+        }
+        table_title {
+            base {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_1 {{colors.secondary.default.red}} {{colors.secondary.default.green}} {{colors.secondary.default.blue}}
+            emphasis_2 {{colors.tertiary.default.red}} {{colors.tertiary.default.green}} {{colors.tertiary.default.blue}}
+            emphasis_3 {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+        }
+        table_cell_unselected {
+            base {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_1 {{colors.secondary.default.red}} {{colors.secondary.default.green}} {{colors.secondary.default.blue}}
+            emphasis_2 {{colors.tertiary.default.red}} {{colors.tertiary.default.green}} {{colors.tertiary.default.blue}}
+            emphasis_3 {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+        }
+        table_cell_selected {
+            base {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            background {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_0 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_1 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_2 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_3 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+        }
+        list_unselected {
+            base {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_1 {{colors.secondary.default.red}} {{colors.secondary.default.green}} {{colors.secondary.default.blue}}
+            emphasis_2 {{colors.tertiary.default.red}} {{colors.tertiary.default.green}} {{colors.tertiary.default.blue}}
+            emphasis_3 {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+        }
+        list_selected {
+            base {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            background {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_0 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_1 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_2 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_3 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+        }
+        frame_unselected {
+            base {{colors.outline_variant.default.red}} {{colors.outline_variant.default.green}} {{colors.outline_variant.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 0
+            emphasis_1 0
+            emphasis_2 0
+            emphasis_3 0
+        }
+        frame_selected {
+            base {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 0
+            emphasis_1 0
+            emphasis_2 0
+            emphasis_3 0
+        }
+        frame_highlight {
+            base {{colors.error.default.red}} {{colors.error.default.green}} {{colors.error.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 0
+            emphasis_1 0
+            emphasis_2 0
+            emphasis_3 0
+        }
+        exit_code_success {
+            base {{colors.success.default.red}} {{colors.success.default.green}} {{colors.success.default.blue}}
+            background 0
+            emphasis_0 0
+            emphasis_1 0
+            emphasis_2 0
+            emphasis_3 0
+        }
+        exit_code_error {
+            base {{colors.error.default.red}} {{colors.error.default.green}} {{colors.error.default.blue}}
+            background 0
+            emphasis_0 0
+            emphasis_1 0
+            emphasis_2 0
+            emphasis_3 0
+        }
+        multiplayer_user_colors {
+            player_1 0
+            player_2 0
+            player_3 0
+            player_4 0
+            player_5 0
+            player_6 0
+            player_7 0
+            player_8 0
+            player_9 0
+            player_10 0
+        }
+    }
+}

hosts/common/configs/user/gui/btop/default.nix

@@ -1,26 +0,0 @@
-{ user, home }:
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  home-manager.users.${user} = {
-    programs.btop.settings.color_theme = "matugen";
-
-    theme = {
-      template.".config/btop/themes/matugen.theme".source = ./theme.theme;
-
-      reloadExtraConfig = "${
-        lib.meta.getExe (
-          pkgs.writeShellApplication {
-            name = "reload-btop";
-            runtimeInputs = with pkgs; [ procps ];
-            text = "exec pkill btop -SIGUSR2";
-          }
-        )
-      } &";
-    };
-  };
-}

hosts/common/configs/user/gui/hyprland/default.nix

@@ -154,7 +154,7 @@
 
     programs.zsh = {
       loginExtra = lib.mkAfter ''
-        if uwsm check may-start; then
+        if uwsm check may-start > /dev/null; then
           exec uwsm start hyprland-uwsm.desktop
         fi
       '';

hosts/common/configs/user/gui/hyprsunset/default.nix

@@ -0,0 +1,5 @@
+{ user, home }:
+{ ... }:
+{
+  home-manager.users.${user}.services.hyprsunset.enable = true;
+}

hosts/common/configs/user/gui/kitty/default.nix

@@ -26,6 +26,56 @@ in
         enable_audio_bell = false;
       };
 
+      keybindings =
+        { }
+        // builtins.listToAttrs (
+          builtins.map
+            (k: {
+              name = k;
+              value = "no_op";
+            })
+            [
+              # Window management
+              "kitty_mod+enter"
+              "kitty_mod+n"
+              "kitty_mod+w"
+              "kitty_mod+]"
+              "kitty_mod+["
+              "kitty_mod+f"
+              "kitty_mod+b"
+              "kitty_mod+`"
+              "kitty_mod+r"
+              "kitty_mod+1"
+              "kitty_mod+2"
+              "kitty_mod+3"
+              "kitty_mod+4"
+              "kitty_mod+5"
+              "kitty_mod+6"
+              "kitty_mod+7"
+              "kitty_mod+8"
+              "kitty_mod+9"
+              "kitty_mod+0"
+              "kitty_mod+f7"
+              "kitty_mod+f8"
+
+              # Tab management
+              "kitty_mod+right"
+              "shift+cmd+]"
+              "ctrl+tab"
+              "kitty_mod+left"
+              "shift+cmd+["
+              "ctrl+shift+tab"
+              "kitty_mod+t"
+              "kitty_mod+q"
+              "kitty_mod+."
+              "kitty_mod+,"
+              "kitty_mod+alt+t"
+
+              # Layout management
+              "kitty_mod+l"
+            ]
+        );
+
       extraConfig = ''
         include theme.conf
       '';

hosts/elara/README.md

@@ -4,7 +4,12 @@
 
 This host uses private SAS repositories. You can find the imports for these in:
 
-- [./default.nix](./default.nix)
+You must build the system once with `sas.build.private = false;`. Then, connect to the SAS VPN, and rebuild the system.
-- [./users/nikara/default.nix](./users/nikara/default.nix)
 
-You must build the system once with these imports commented out. Then, connect to the SAS VPN, uncomment them, and rebuild the system.
+## Installation Instructions
+
+1. Using a separate Nix system, run `hosts/elara/build-tarball.sh`
+2. Copy the generated tarball to the Elara host
+3. On the Elara host, run `wsl --import NixOS $env:USERPROFILE\NixOS nixos.wsl --version 2` in PowerShell
+4. Enable `cgroup v2` support by setting `kernelCommandLine=cgroup_no_v1=all` in `.wslconfig` in your Windows home directory
+5. Optionally, run `wsl --set-default nixos` to make NixOS the default WSL distribution

hosts/elara/build-tarball.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+temp=$(mktemp -d)
+
+cleanup() {
+  rm -rf "$temp"
+}
+trap cleanup EXIT
+
+install -d -m 755 "$temp/etc/ssh"
+cp ./submodules/secrets/hosts/elara/ssh_host_ed25519_key "$temp/etc/ssh/ssh_host_ed25519_key"
+
+install -d -m 700 "$temp/home/nikara"
+install -d -m 755 "$temp/home/nikara/.config/sops-nix"
+cp ./submodules/secrets/domains/sas/key.txt "$temp/home/nikara/.config/sops-nix/key.txt"
+
+sudo nix run .#nixosConfigurations.elara.config.system.build.tarballBuilder -- \
+  --extra-files "$temp" \
+  --chown /home/nikara 1000:100

hosts/elara/configs/globalprotect/default.nix

@@ -1,29 +0,0 @@
-{ config, inputs, ... }:
-{
-  sops.secrets = {
-    "globalprotect/email".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
-    "globalprotect/gateway".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
-    "globalprotect/ssh/key".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
-    "ntfy/username".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
-    "ntfy/password".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
-  };
-
-  sas.globalprotect = {
-    enable = true;
-
-    email.file = config.sops.secrets."globalprotect/email".path;
-    gateway.file = config.sops.secrets."globalprotect/gateway".path;
-
-    sish = {
-      host = "karaolidis.com";
-      port = "2222";
-      keyFile = config.sops.secrets."globalprotect/ssh/key".path;
-    };
-
-    ntfy = {
-      url = "https://ntfy.karaolidis.com/sas";
-      username.file = config.sops.secrets."ntfy/username".path;
-      password.file = config.sops.secrets."ntfy/password".path;
-    };
-  };
-}

hosts/elara/configs/nix/default.nix

@@ -0,0 +1,4 @@
+{ inputs, ... }:
+{
+  nix.registry.sas.flake = inputs.sas;
+}

hosts/elara/configs/podman/default.nix

@@ -0,0 +1,4 @@
+{ lib, ... }:
+{
+  virtualisation.containers.storage.settings.storage.driver = lib.mkForce "overlay";
+}

hosts/elara/configs/ssh/default.nix

@@ -33,16 +33,14 @@
         HostName github.com
         IdentityFile /root/.ssh/ssh_sas_ed25519_key
         IdentitiesOnly yes
+        UserKnownHostsFile ${pkgs.sshKnownHosts.github}
 
       Host gitlab.sas.com
         User git
         HostName gitlab.sas.com
         IdentityFile /root/.ssh/ssh_sas_ed25519_key
         IdentitiesOnly yes
+        ${lib.strings.optionalString config.sas.build.private "UserKnownHostsFile ${pkgs.sshKnownHosts.sas-gitlab}"}
     '';
-
-    knownHostsFiles =
-      with pkgs.sshKnownHosts;
-      ([ github ] ++ lib.lists.optionals config.sas.build.private [ sas-gitlab ]);
   };
 }

hosts/elara/default.nix

@@ -1,4 +1,4 @@
-{ config, inputs, ... }:
+{ inputs, lib, ... }:
 {
   nixpkgs.overlays = [
     inputs.lib.overlays.default
@@ -8,56 +8,34 @@
   ];
 
   imports = [
-    ./options.nix
+    inputs.nixos-wsl.nixosModules.default
-
-    inputs.disko.nixosModules.disko
-    ./format.nix
-    ./hardware
-
     inputs.sas.nixosModules.default
 
+    ./hardware
+    ./options.nix
+
     ../common/configs/system
 
-    ../common/configs/system/bluetooth
-    ../common/configs/system/boot
-    ../common/configs/system/brightnessctl
-    ../common/configs/system/btrbk
-    ../common/configs/system/btrfs
-    ../common/configs/system/cloudflared
-    ../common/configs/system/dnsmasq
     ../common/configs/system/documentation
-    ../common/configs/system/getty
     ../common/configs/system/git
-    ../common/configs/system/gpg-agent
     ../common/configs/system/impermanence
-    ../common/configs/system/lanzaboote
-    ../common/configs/system/libvirt
     ../common/configs/system/neovim
-    ../common/configs/system/networkmanager
     ../common/configs/system/nix
-    ../common/configs/system/nix-cleanup
-    ../common/configs/system/nix-install
     ../common/configs/system/nix-ld
     ../common/configs/system/nix-update
     ../common/configs/system/nixpkgs
-    ../common/configs/system/ntp
-    ../common/configs/system/pipewire
     ../common/configs/system/podman
-    ../common/configs/system/power
-    ../common/configs/system/printing
-    ../common/configs/system/smartmontools
     ../common/configs/system/sops
     ../common/configs/system/ssh
+    ../common/configs/system/sshd
     ../common/configs/system/sudo
     ../common/configs/system/system
-    ../common/configs/system/timezone
-    ../common/configs/system/tmux
-    ../common/configs/system/upower
     ../common/configs/system/users
     ../common/configs/system/zsh
 
-    ./configs/globalprotect
+    ./configs/nix
     ./configs/pki
+    ./configs/podman
     ./configs/ssh
 
     ./users/nikara
@@ -65,8 +43,7 @@
 
   networking.hostName = "elara";
 
-  sas.build.private = true;
+  sas.build.private = false;
 
-  environment.impermanence.device =
+  environment.impermanence.enable = lib.mkForce false;
-    config.disko.devices.disk.usb.content.partitions.root.content.content.device;
 }

hosts/elara/format.nix

@@ -1,87 +0,0 @@
-{
-  disko.devices = {
-    disk.usb = {
-      device = "/dev/disk/by-id/ata-Samsung_SSD_990_EVO_1TB_S7GCNL0XA04998F";
-      type = "disk";
-      content = {
-        type = "gpt";
-        partitions = {
-          boot = {
-            name = "boot";
-            size = "1M";
-            type = "EF02";
-          };
-          esp = {
-            name = "esp";
-            size = "512M";
-            type = "EF00";
-            content = {
-              type = "filesystem";
-              format = "vfat";
-              mountpoint = "/boot";
-              mountOptions = [ "umask=0077" ];
-            };
-          };
-          swap = {
-            name = "swap";
-            size = "32G";
-            content = {
-              type = "swap";
-              resumeDevice = true;
-            };
-          };
-          root = {
-            name = "root";
-            size = "100%";
-            content = {
-              name = "usb";
-              type = "luks";
-              passwordFile = "/tmp/keyfile";
-              settings = {
-                allowDiscards = true;
-              };
-              content = {
-                type = "btrfs";
-                extraArgs = [ "-f" ];
-                subvolumes =
-                  let
-                    mountOptions = [
-                      "compress=zstd:3"
-                      "noatime"
-                      "user_subvol_rm_allowed"
-                    ];
-                  in
-                  {
-                    "@" = {
-                      mountpoint = "/";
-                      inherit mountOptions;
-                    };
-                    "@persist" = {
-                      mountpoint = "/persist";
-                      inherit mountOptions;
-                    };
-                    "@persist/user" = {
-                      mountpoint = "/persist/user";
-                      inherit mountOptions;
-                    };
-                    "@persist/state" = {
-                      mountpoint = "/persist/state";
-                      inherit mountOptions;
-                    };
-                    "@persist/cache" = {
-                      mountpoint = "/persist/cache";
-                      inherit mountOptions;
-                    };
-                    "@nix" = {
-                      mountpoint = "/nix";
-                      inherit mountOptions;
-                    };
-                  };
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/elara/hardware/default.nix

@@ -1,19 +1,10 @@
 { ... }:
 {
-  boot.initrd.kernelModules = [
+  imports = [ ./display.nix ];
-    "xhci_pci"
-    "uas"
-    "sd_mod"
-  ];
 
-  services.tlp.settings.DISK_DEVICES = "sda";
+  wsl = {
-
+    enable = true;
-  # By default, this host runs on an external SSD attached to himalia...
+    tarball.configPath = ../../../.;
-  imports = [ ../../himalia/hardware ];
+    startMenuLaunchers = true;
-
-  # ...but it can also run attached to a SAS-provided laptop.
-  specialisation.sas.configuration = {
-    disabledModules = [ ../../himalia/hardware ];
-    imports = [ ./sas ];
   };
 }

hosts/elara/hardware/display.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  home-manager.sharedModules = [
+    { programs.vscode.profiles.default.userSettings."window.zoomLevel" = (1.25 - 1) / 0.2; }
+  ];
+}

hosts/elara/hardware/sas/default.nix

@@ -1,28 +0,0 @@
-{ ... }:
-{
-  imports = [
-    ./display.nix
-    ./keybinds.nix
-  ];
-
-  hardware = {
-    enableAllFirmware = true;
-
-    cpu = {
-      cores = 8;
-      threads = 12;
-      intel.updateMicrocode = true;
-    };
-  };
-
-  boot = {
-    kernelModules = [ "kvm-intel" ];
-    initrd.kernelModules = [
-      "thunderbolt"
-      "vmd"
-      "nvme"
-    ];
-  };
-
-  services.fstrim.enable = true;
-}

hosts/elara/hardware/sas/display.nix

@@ -1,30 +0,0 @@
-{ ... }:
-{
-  boot.kernelParams = [ "video=eDP-1:1920x1200@60" ];
-
-  home-manager.sharedModules = [
-    {
-      wayland.windowManager.hyprland.settings = {
-        monitor = [
-          "eDP-1, preferred, 0x0, 1"
-          ", maxwidth, auto-center-up, 1"
-        ];
-
-        workspace = [
-          "1, monitor:eDP-1, layoutopt:orientation:left"
-          "2, monitor:eDP-1, layoutopt:orientation:left"
-          "3, monitor:eDP-1, layoutopt:orientation:left"
-          "4, monitor:eDP-1, layoutopt:orientation:left"
-          "5, monitor:eDP-1, layoutopt:orientation:left"
-          "6, monitor:eDP-1, layoutopt:orientation:left"
-          "7, monitor:eDP-1, layoutopt:orientation:left"
-          "8, monitor:eDP-1, layoutopt:orientation:left"
-          "9, monitor:eDP-1, layoutopt:orientation:left"
-          "10, monitor:eDP-1, layoutopt:orientation:left"
-        ];
-      };
-
-      programs.vscode.profiles.default.userSettings."window.zoomLevel" = (1.25 - 1) / 0.2;
-    }
-  ];
-}

hosts/elara/hardware/sas/keybinds.nix

@@ -1,15 +0,0 @@
-{ lib, pkgs, ... }:
-{
-  home-manager.sharedModules = [
-    {
-      wayland.windowManager.hyprland.settings.bindle =
-        let
-          brightnessctl = lib.meta.getExe pkgs.brightnessctl;
-        in
-        [
-          ", XF86MonBrightnessUp, exec, ${brightnessctl} -q s 5%+"
-          ", XF86MonBrightnessDown, exec, ${brightnessctl} -q s 5%-"
-        ];
-    }
-  ];
-}

hosts/elara/users/nikara/configs/console/gpg/default.nix

@@ -1,5 +1,10 @@
 { user, home }:
-{ config, inputs, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
 let
   hmConfig = config.home-manager.users.${user};
 in

hosts/elara/users/nikara/configs/console/neovim/default.nix

@@ -0,0 +1,6 @@
+{ user, home }:
+{ pkgs, ... }:
+{
+  home-manager.users.${user}.programs.nvf.settings.vim.clipboard.providers.wl-copy.package =
+    pkgs.wsl-wl-clipboard;
+}

hosts/elara/users/nikara/configs/console/podman/default.nix

@@ -10,41 +10,45 @@ let
   hmConfig = config.home-manager.users.${user};
 in
 {
-  home-manager.users.${user}.sops = {
+  home-manager.users.${user} = {
-    secrets = {
+    sops = {
-      "registry/personal/git.karaolidis.com" = {
+      secrets = {
-        sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+        "registry/personal/git.karaolidis.com" = {
-        key = "registry/git.karaolidis.com";
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "registry/git.karaolidis.com";
+        };
+
+        "registry/personal/docker.io" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "registry/docker.io";
+        };
+
+        "registry/sas/cr.sas.com" = {
+          sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+          key = "registry/cr.sas.com";
+        };
       };
 
-      "registry/personal/docker.io" = {
+      templates.containers-auth = {
-        sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+        content = builtins.readFile (
-        key = "registry/docker.io";
+          (pkgs.formats.json { }).generate "auth.json" {
-      };
+            auths = {
-
+              "git.karaolidis.com" = {
-      "registry/sas/cr.sas.com" = {
+                auth = hmConfig.sops.placeholder."registry/personal/git.karaolidis.com";
-        sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+              };
-        key = "registry/cr.sas.com";
+              "docker.io" = {
+                auth = hmConfig.sops.placeholder."registry/personal/docker.io";
+              };
+              "cr.sas.com" = {
+                auth = hmConfig.sops.placeholder."registry/sas/cr.sas.com";
+              };
+            };
+          }
+        );
+        path = "${home}/.config/containers/auth.json";
       };
     };
 
-    templates.containers-auth = {
+    services.podman.settings.storage.storage.driver = lib.mkForce "overlay";
-      content = builtins.readFile (
-        (pkgs.formats.json { }).generate "auth.json" {
-          auths = {
-            "git.karaolidis.com" = {
-              auth = hmConfig.sops.placeholder."registry/personal/git.karaolidis.com";
-            };
-            "docker.io" = {
-              auth = hmConfig.sops.placeholder."registry/personal/docker.io";
-            };
-            "cr.sas.com" = {
-              auth = hmConfig.sops.placeholder."registry/sas/cr.sas.com";
-            };
-          };
-        }
-      );
-      path = "${home}/.config/containers/auth.json";
-    };
   };
 }

hosts/elara/users/nikara/configs/console/sas/default.nix

@@ -54,8 +54,10 @@ in
       packages =
         with pkgs;
         [
+          gcc
           gopls
           go-tools
+          delve
           golangci-lint
           golangci-lint-langserver
         ]

hosts/elara/users/nikara/configs/console/ssh/default.nix

@@ -46,118 +46,158 @@ in
           key = "ssh/rsa/pass";
         };
 
-        "git/credentials/personal/git.karaolidis.com/admin/username" = {
+        "git/credentials/personal/git.karaolidis.com/username" = {
           sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
-          key = "git/credentials/git.karaolidis.com/admin/username";
+          key = "git/credentials/git.karaolidis.com/username";
         };
 
-        "git/credentials/personal/git.karaolidis.com/admin/password" = {
+        "git/credentials/personal/git.karaolidis.com/tokens/admin" = {
           sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
-          key = "git/credentials/git.karaolidis.com/admin/password";
+          key = "git/credentials/git.karaolidis.com/tokens/admin";
         };
 
-        "git/credentials/sas/github.com/admin/username" = {
+        "git/credentials/sas/github.com/username" = {
           sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
-          key = "git/credentials/github.com/admin/username";
+          key = "git/credentials/github.com/username";
         };
 
-        "git/credentials/sas/github.com/admin/password" = {
+        "git/credentials/sas/github.com/tokens/admin" = {
           sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
-          key = "git/credentials/github.com/admin/password";
+          key = "git/credentials/github.com/tokens/admin";
+        };
+
+        "git/credentials/personal/github.com/username" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/github.com/username";
+        };
+
+        "git/credentials/personal/github.com/tokens/admin" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/github.com/tokens/admin";
+        };
+
+        "git/credentials/personal/gitlab.com/username" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/gitlab.com/username";
+        };
+
+        "git/credentials/personal/gitlab.com/tokens/admin" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/gitlab.com/tokens/admin";
+        };
+
+        "git/credentials/personal/gitea.com/username" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/gitea.com/username";
+        };
+
+        "git/credentials/personal/gitea.com/tokens/admin" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/gitea.com/tokens/admin";
         };
       };
 
       templates."git/credentials" = {
         content = ''
-          https://${hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/admin/username"}:${
+          https://${hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/username"}:${
-            hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/admin/password"
+            hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/tokens/admin"
           }@git.karaolidis.com
-          https://${hmConfig.sops.placeholder."git/credentials/sas/github.com/admin/username"}:${
+          https://${hmConfig.sops.placeholder."git/credentials/sas/github.com/username"}:${
-            hmConfig.sops.placeholder."git/credentials/sas/github.com/admin/password"
+            hmConfig.sops.placeholder."git/credentials/sas/github.com/tokens/admin"
           }@github.com
+          https://${hmConfig.sops.placeholder."git/credentials/personal/gitlab.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/personal/gitlab.com/tokens/admin"
+          }@gitlab.com
+          https://${hmConfig.sops.placeholder."git/credentials/personal/gitea.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/personal/gitea.com/tokens/admin"
+          }@gitea.com
         '';
         path = "${home}/.config/git/credentials";
       };
     };
 
     programs = {
-      ssh = {
+      ssh.matchBlocks = {
-        matchBlocks = {
+        "karaolidis.com" = {
-          "karaolidis.com" = {
+          hostname = "karaolidis.com";
-            hostname = "karaolidis.com";
+          user = "nick";
-            user = "nick";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-            identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "github.com" = {
-            hostname = "github.com";
-            user = "git";
-            identityFile = [ "${home}/.ssh/ssh_personal_ed25519_key" ];
-            identitiesOnly = true;
-          };
-
-          "gitlab.com" = {
-            hostname = "gitlab.com";
-            user = "git";
-            identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "github.sas.com" = {
-            hostname = "github.com";
-            user = "git";
-            identityFile = [ "${home}/.ssh/ssh_sas_ed25519_key" ];
-            identitiesOnly = true;
-          };
-
-          "cldlgn.fyi.sas.com" = {
-            inherit user;
-            hostname = "cldlgn.fyi.sas.com";
-            identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "gitlab.sas.com" = {
-            hostname = "gitlab.sas.com";
-            user = "git";
-            identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "gerrit-svi.unx.sas.com" = {
-            hostname = "gerrit-svi.unx.sas.com";
-            user = "nikara";
-            port = 29418;
-            identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "artifactlfs.unx.sas.com" = {
-            hostname = "artifactlfs.unx.sas.com";
-            user = "nikara";
-            port = 1339;
-            identityFile = "${home}/.ssh/ssh_sas_rsa_key";
-            identitiesOnly = true;
-          };
         };
 
-        userKnownHostsFile = builtins.concatStringsSep " " (
+        "tunnel.karaolidis.com" = {
-          with pkgs.sshKnownHosts;
+          hostname = "tunnel.karaolidis.com";
-          (
+          user = "nick";
-            [
+          port = 2222;
-              "${home}/.ssh/known_hosts"
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-              github
+        };
-              gitlab
+
-            ]
+        "github.com" = {
-            ++ lib.lists.optionals config.sas.build.private [
+          hostname = "github.com";
-              sas-cldlgn
+          user = "git";
-              sas-gitlab
+          identityFile = [ "${home}/.ssh/ssh_personal_ed25519_key" ];
-              sas-gerrit
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.github;
-              sas-artifact
+        };
-            ]
+
-          )
+        "gitlab.com" = {
-        );
+          hostname = "gitlab.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitlab;
+        };
+
+        "gitea.com" = {
+          hostname = "gitea.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitea;
+        };
+
+        "github.sas.com" = {
+          hostname = "github.com";
+          user = "git";
+          identityFile = [ "${home}/.ssh/ssh_sas_ed25519_key" ];
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.github
+          );
+        };
+
+        "cldlgn.fyi.sas.com" = {
+          inherit user;
+          hostname = "cldlgn.fyi.sas.com";
+          identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.sas-cldlgn
+          );
+        };
+
+        "gitlab.sas.com" = {
+          hostname = "gitlab.sas.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.sas-gitlab
+          );
+        };
+
+        "gerrit-svi.unx.sas.com" = {
+          hostname = "gerrit-svi.unx.sas.com";
+          user = "nikara";
+          port = 29418;
+          identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.sas-gerrit
+          );
+        };
+
+        "artifactlfs.unx.sas.com" = {
+          hostname = "artifactlfs.unx.sas.com";
+          user = "nikara";
+          port = 1339;
+          identityFile = "${home}/.ssh/ssh_sas_rsa_key";
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.sas-artifact
+          );
+        };
       };
 
       git.extraConfig.url = {

hosts/elara/users/nikara/configs/console/wsl/default.nix

@@ -0,0 +1,5 @@
+{ user, home }:
+{ pkgs, ... }:
+{
+  home-manager.users.${user}.home.packages = with pkgs; [ wsl-wl-clipboard ];
+}

hosts/elara/users/nikara/configs/gui/kitty/default.nix

@@ -0,0 +1,5 @@
+{ user, home }:
+{ ... }:
+{
+  home-manager.users.${user}.programs.kitty.settings.hide_window_decorations = true;
+}

hosts/elara/users/nikara/configs/gui/obsidian/default.nix

@@ -1,23 +1,5 @@
 { user, home }:
 { ... }:
 {
-  home-manager.users.${user} = {
+  home-manager.users.${user}.programs.obsidian.vaults."Documents/Obsidian/master".enable = true;
-    programs.obsidian.vaults = {
-      "Documents/Obsidian/personal/master".enable = true;
-      "Documents/Obsidian/sas/master".enable = true;
-    };
-
-    services.syncthing.settings.folders.obsidian = {
-      label = "Obsidian";
-      path = "${home}/Documents/Obsidian/personal";
-      devices = [
-        "amalthea"
-        "ganymede"
-      ];
-      maxConflicts = 0;
-    };
-
-    home.file."Documents/Obsidian/personal/.stignore".source =
-      ../../../../../../common/configs/user/gui/obsidian/.stignore;
-  };
 }

hosts/elara/users/nikara/configs/gui/vscode/default.nix

@@ -1,26 +1,30 @@
 { user, home }:
-{ ... }:
+{ lib, ... }:
 {
-  home-manager.users.${user}.programs.vscode = {
+  home-manager.users.${user} = {
-    languages = {
+    programs.vscode = {
-      c.enable = true;
+      languages = {
-      go.enable = true;
+        c.enable = true;
-      hugo.enable = true;
+        go.enable = true;
-      java.enable = true;
+        hugo.enable = true;
-      jinja.enable = true;
+        java.enable = true;
-      lua.enable = true;
+        jinja.enable = true;
-      markdown.enable = true;
+        lua.enable = true;
-      nix.enable = true;
+        markdown.enable = true;
-      podman.enable = true;
+        nix.enable = true;
-      python.enable = true;
+        podman.enable = true;
-      rest.enable = true;
+        python.enable = true;
-      rust.enable = true;
+        rest.enable = true;
-      sas.enable = true;
+        rust.enable = true;
-      sops.enable = true;
+        sas.enable = true;
-      typescript.enable = true;
+        sops.enable = true;
-      yaml.enable = true;
+        typescript.enable = true;
+        yaml.enable = true;
+      };
+
+      copilot.enable = true;
     };
 
-    copilot.enable = true;
+    home.sessionVariables.DONT_PROMPT_WSL_INSTALL = "1";
   };
 }

hosts/elara/users/nikara/default.nix

@@ -14,8 +14,7 @@ in
   imports = [
     (import ../../../common/configs/user { inherit user home; })
 
-    (import ../../../common/configs/user/console/android { inherit user home; })
+    (import ../../../common/configs/user/console/attic { inherit user home; })
-    (import ../../../common/configs/user/console/brightnessctl { inherit user home; })
     (import ../../../common/configs/user/console/btop { inherit user home; })
     (import ../../../common/configs/user/console/dive { inherit user home; })
     (import ../../../common/configs/user/console/fastfetch { inherit user home; })
@@ -27,69 +26,41 @@ in
     (import ../../../common/configs/user/console/ip { inherit user home; })
     (import ../../../common/configs/user/console/jq { inherit user home; })
     (import ../../../common/configs/user/console/kubernetes { inherit user home; })
-    (import ../../../common/configs/user/console/libvirt { inherit user home; })
     (import ../../../common/configs/user/console/lsof { inherit user home; })
     (import ../../../common/configs/user/console/mprocs { inherit user home; })
     (import ../../../common/configs/user/console/ncdu { inherit user home; })
-    (import ../../../common/configs/user/console/ncspot { inherit user home; })
     (import ../../../common/configs/user/console/neovim { inherit user home; })
     (import ../../../common/configs/user/console/nix { inherit user home; })
-    (import ../../../common/configs/user/console/nix-cleanup { inherit user home; })
     (import ../../../common/configs/user/console/nix-develop { inherit user home; })
     (import ../../../common/configs/user/console/nix-direnv { inherit user home; })
     (import ../../../common/configs/user/console/ouch { inherit user home; })
-    (import ../../../common/configs/user/console/pipewire { inherit user home; })
     (import ../../../common/configs/user/console/podman { inherit user home; })
     (import ../../../common/configs/user/console/sops { inherit user home; })
     (import ../../../common/configs/user/console/ssh { inherit user home; })
     (import ../../../common/configs/user/console/ssh-agent { inherit user home; })
-    (import ../../../common/configs/user/console/syncthing { inherit user home; })
-    (import ../../../common/configs/user/console/tmux { inherit user home; })
     (import ../../../common/configs/user/console/tree { inherit user home; })
     (import ../../../common/configs/user/console/wget { inherit user home; })
     (import ../../../common/configs/user/console/xdg { inherit user home; })
     (import ../../../common/configs/user/console/yazi { inherit user home; })
-    (import ../../../common/configs/user/console/yt-dlp { inherit user home; })
+    (import ../../../common/configs/user/console/zellij { inherit user home; })
     (import ../../../common/configs/user/console/zoxide { inherit user home; })
     (import ../../../common/configs/user/console/zsh { inherit user home; })
 
-    (import ../../../common/configs/user/gui/astal { inherit user home; })
-    (import ../../../common/configs/user/gui/bluetooth { inherit user home; })
-    (import ../../../common/configs/user/gui/btop { inherit user home; })
-    (import ../../../common/configs/user/gui/clipbook { inherit user home; })
-    (import ../../../common/configs/user/gui/cliphist { inherit user home; })
-    (import ../../../common/configs/user/gui/emoji { inherit user home; })
-    (import ../../../common/configs/user/gui/feh { inherit user home; })
-    (import ../../../common/configs/user/gui/firefox { inherit user home; })
     (import ../../../common/configs/user/gui/gtk { inherit user home; })
-    (import ../../../common/configs/user/gui/hypridle { inherit user home; })
-    (import ../../../common/configs/user/gui/hyprland { inherit user home; })
-    (import ../../../common/configs/user/gui/hyprpicker { inherit user home; })
-    (import ../../../common/configs/user/gui/hyprshot { inherit user home; })
     (import ../../../common/configs/user/gui/kitty { inherit user home; })
-    (import ../../../common/configs/user/gui/libreoffice { inherit user home; })
-    (import ../../../common/configs/user/gui/mpv { inherit user home; })
-    (import ../../../common/configs/user/gui/networkmanager { inherit user home; })
-    (import ../../../common/configs/user/gui/obs { inherit user home; })
     (import ../../../common/configs/user/gui/obsidian { inherit user home; })
-    (import ../../../common/configs/user/gui/pipewire { inherit user home; })
-    (import ../../../common/configs/user/gui/qalculate { inherit user home; })
     (import ../../../common/configs/user/gui/qt { inherit user home; })
-    (import ../../../common/configs/user/gui/rofi { inherit user home; })
-    (import ../../../common/configs/user/gui/rquickshare { inherit user home; })
-    (import ../../../common/configs/user/gui/swww { inherit user home; })
     (import ../../../common/configs/user/gui/theme { inherit user home; })
     (import ../../../common/configs/user/gui/vscode { inherit user home; })
-    (import ../../../common/configs/user/gui/wev { inherit user home; })
-    (import ../../../common/configs/user/gui/wl-clipboard { inherit user home; })
-    (import ../../../common/configs/user/gui/x11 { inherit user home; })
-    (import ../../../common/configs/user/gui/xdg { inherit user home; })
 
     (import ./configs/console/gpg { inherit user home; })
+    (import ./configs/console/neovim { inherit user home; })
     (import ./configs/console/podman { inherit user home; })
     (import ./configs/console/sas { inherit user home; })
     (import ./configs/console/ssh { inherit user home; })
+    (import ./configs/console/wsl { inherit user home; })
 
+    (import ./configs/gui/kitty { inherit user home; })
     (import ./configs/gui/obsidian { inherit user home; })
     (import ./configs/gui/vscode { inherit user home; })
   ];
@@ -114,9 +85,13 @@ in
     ];
     linger = true;
     uid = lib.strings.toInt (builtins.readFile ./uid);
+    openssh.authorizedKeys.keyFiles = [
+      "${inputs.secrets}/domains/personal/id_ed25519.pub"
+      "${inputs.secrets}/domains/sas/id_ed25519.pub"
+    ];
   };
 
-  services.getty.autologinUser = user;
+  wsl.defaultUser = user;
 
   home-manager.users.${user}.home = {
     username = user;

hosts/himalia/default.nix

@@ -21,7 +21,6 @@
     ../common/configs/system/documentation
     ../common/configs/system/getty
     ../common/configs/system/git
-    ../common/configs/system/gpg-agent
     ../common/configs/system/impermanence
     ../common/configs/system/lanzaboote
     ../common/configs/system/libvirt
@@ -41,10 +40,10 @@
     ../common/configs/system/smartmontools
     ../common/configs/system/sops
     ../common/configs/system/ssh
+    ../common/configs/system/sshd
     ../common/configs/system/sudo
     ../common/configs/system/system
     ../common/configs/system/timezone
-    ../common/configs/system/tmux
     ../common/configs/system/upower
     ../common/configs/system/users
     ../common/configs/system/zsh

hosts/himalia/hardware/keybinds.nix

@@ -29,18 +29,6 @@
               ", XF86Launch4, exec, ${asusctl} profile -n"
               ", XF86TouchpadToggle, exec, ${touchpadHelper} asuf1209:00-2808:0219-touchpad"
             ];
-
-          bind =
-            let
-              farmAura = lib.meta.getExe (
-                pkgs.writeShellApplication {
-                  name = "farm-aura";
-                  runtimeInputs = with pkgs; [ genact ];
-                  text = builtins.readFile ./scripts/farm-aura.sh;
-                }
-              );
-            in
-            [ ", XF86Launch3, exec, uwsm app -- $term ${farmAura}" ];
         };
     }
   ];

hosts/himalia/hardware/scripts/farm-aura.sh

@@ -1,13 +0,0 @@
-# shellcheck shell=bash
-
-SESSION_NAME="aura-farm-$$"
-
-tmux new-session -d -s "$SESSION_NAME" "genact -s 25"
-tmux set-hook -t "$SESSION_NAME" pane-exited "run-shell 'tmux kill-session -t $SESSION_NAME'"
-
-for _ in {1..4}; do
-  tmux split-window -t "$SESSION_NAME" -h "genact -s 25"
-done
-
-tmux select-layout -t "$SESSION_NAME" tiled
-tmux attach-session -t "$SESSION_NAME"

hosts/himalia/users/nick/configs/console/ssh/default.nix

@@ -19,56 +19,82 @@ in
 
         "ssh/pass".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
 
-        "git/credentials/git.karaolidis.com/admin/username".sopsFile =
+        "git/credentials/git.karaolidis.com/username".sopsFile =
           "${inputs.secrets}/domains/personal/secrets.yaml";
 
-        "git/credentials/git.karaolidis.com/admin/password".sopsFile =
+        "git/credentials/git.karaolidis.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/github.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/github.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitlab.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitlab.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitea.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitea.com/tokens/admin".sopsFile =
           "${inputs.secrets}/domains/personal/secrets.yaml";
       };
 
       templates."git/credentials" = {
         content = ''
-          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/username"}:${
+          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/username"}:${
-            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/password"
+            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/tokens/admin"
           }@git.karaolidis.com
+          https://${hmConfig.sops.placeholder."git/credentials/github.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/github.com/tokens/admin"
+          }@github.com
+          https://${hmConfig.sops.placeholder."git/credentials/gitlab.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/gitlab.com/tokens/admin"
+          }@gitlab.com
+          https://${hmConfig.sops.placeholder."git/credentials/gitea.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/gitea.com/tokens/admin"
+          }@gitea.com
         '';
         path = "${home}/.config/git/credentials";
       };
     };
 
     programs = {
-      ssh = {
+      ssh.matchBlocks = {
-        matchBlocks = {
+        "karaolidis.com" = {
-          "karaolidis.com" = {
+          hostname = "karaolidis.com";
-            hostname = "karaolidis.com";
+          user = "nick";
-            user = "nick";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-            identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "github.com" = {
-            hostname = "github.com";
-            user = "git";
-            identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "gitlab.com" = {
-            hostname = "gitlab.com";
-            user = "git";
-            identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-            identitiesOnly = true;
-          };
         };
 
-        userKnownHostsFile = builtins.concatStringsSep " " (
+        "tunnel.karaolidis.com" = {
-          with pkgs.sshKnownHosts;
+          hostname = "tunnel.karaolidis.com";
-          [
+          user = "nick";
-            "${home}/.ssh/known_hosts"
+          port = 2222;
-            github
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-            gitlab
+        };
-          ]
+
-        );
+        "github.com" = {
+          hostname = "github.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.github;
+        };
+
+        "gitlab.com" = {
+          hostname = "gitlab.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitlab;
+        };
+
+        "gitea.com" = {
+          hostname = "gitea.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitea;
+        };
       };
 
       clipbook.bookmarks."SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/pass".path;

hosts/himalia/users/nick/default.nix

@@ -15,6 +15,7 @@ in
     (import ../../../common/configs/user { inherit user home; })
 
     (import ../../../common/configs/user/console/android { inherit user home; })
+    (import ../../../common/configs/user/console/attic { inherit user home; })
     (import ../../../common/configs/user/console/brightnessctl { inherit user home; })
     (import ../../../common/configs/user/console/btop { inherit user home; })
     (import ../../../common/configs/user/console/dive { inherit user home; })
@@ -43,18 +44,17 @@ in
     (import ../../../common/configs/user/console/ssh { inherit user home; })
     (import ../../../common/configs/user/console/ssh-agent { inherit user home; })
     (import ../../../common/configs/user/console/syncthing { inherit user home; })
-    (import ../../../common/configs/user/console/tmux { inherit user home; })
     (import ../../../common/configs/user/console/tree { inherit user home; })
     (import ../../../common/configs/user/console/wget { inherit user home; })
     (import ../../../common/configs/user/console/xdg { inherit user home; })
     (import ../../../common/configs/user/console/yazi { inherit user home; })
     (import ../../../common/configs/user/console/yt-dlp { inherit user home; })
+    (import ../../../common/configs/user/console/zellij { inherit user home; })
     (import ../../../common/configs/user/console/zoxide { inherit user home; })
     (import ../../../common/configs/user/console/zsh { inherit user home; })
 
     (import ../../../common/configs/user/gui/astal { inherit user home; })
     (import ../../../common/configs/user/gui/bluetooth { inherit user home; })
-    (import ../../../common/configs/user/gui/btop { inherit user home; })
     (import ../../../common/configs/user/gui/clipbook { inherit user home; })
     (import ../../../common/configs/user/gui/cliphist { inherit user home; })
     (import ../../../common/configs/user/gui/darktable { inherit user home; })
@@ -74,6 +74,7 @@ in
     (import ../../../common/configs/user/gui/hyprland { inherit user home; })
     (import ../../../common/configs/user/gui/hyprpicker { inherit user home; })
     (import ../../../common/configs/user/gui/hyprshot { inherit user home; })
+    (import ../../../common/configs/user/gui/hyprsunset { inherit user home; })
     (import ../../../common/configs/user/gui/kitty { inherit user home; })
     (import ../../../common/configs/user/gui/libreoffice { inherit user home; })
     (import ../../../common/configs/user/gui/mpv { inherit user home; })
@@ -123,6 +124,7 @@ in
     ];
     linger = true;
     uid = lib.strings.toInt (builtins.readFile ./uid);
+    openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/domains/personal/id_ed25519.pub" ];
   };
 
   services.getty.autologinUser = user;

hosts/installer/default.nix

@@ -19,7 +19,6 @@
     ../common/configs/system/documentation
     ../common/configs/system/getty
     ../common/configs/system/git
-    ../common/configs/system/gpg-agent
     ../common/configs/system/impermanence
     ../common/configs/system/lanzaboote
     ../common/configs/system/neovim
@@ -34,10 +33,10 @@
     ../common/configs/system/power
     ../common/configs/system/sops
     ../common/configs/system/ssh
+    ../common/configs/system/sshd
     ../common/configs/system/sudo
     ../common/configs/system/system
     ../common/configs/system/timezone
-    ../common/configs/system/tmux
     ../common/configs/system/users
     ../common/configs/system/zsh
 

hosts/installer/hardware/default.nix

@@ -9,6 +9,9 @@
     "xhci_pci"
     "usb_storage"
     "sd_mod"
+    "hv_vmbus"
+    "hv_storvsc"
+    "hyperv_keyboard"
   ];
 
   services.fstrim.enable = true;

hosts/installer/users/nick/configs/console/ssh/default.nix

@@ -19,55 +19,81 @@ in
 
         "ssh/pass".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
 
-        "git/credentials/git.karaolidis.com/admin/username".sopsFile =
+        "git/credentials/git.karaolidis.com/username".sopsFile =
           "${inputs.secrets}/domains/personal/secrets.yaml";
 
-        "git/credentials/git.karaolidis.com/admin/password".sopsFile =
+        "git/credentials/git.karaolidis.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/github.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/github.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitlab.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitlab.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitea.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitea.com/tokens/admin".sopsFile =
           "${inputs.secrets}/domains/personal/secrets.yaml";
       };
 
       templates."git/credentials" = {
         content = ''
-          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/username"}:${
+          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/username"}:${
-            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/password"
+            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/tokens/admin"
           }@git.karaolidis.com
+          https://${hmConfig.sops.placeholder."git/credentials/github.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/github.com/tokens/admin"
+          }@github.com
+          https://${hmConfig.sops.placeholder."git/credentials/gitlab.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/gitlab.com/tokens/admin"
+          }@gitlab.com
+          https://${hmConfig.sops.placeholder."git/credentials/gitea.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/gitea.com/tokens/admin"
+          }@gitea.com
         '';
         path = "${home}/.config/git/credentials";
       };
     };
 
-    programs.ssh = {
+    programs.ssh.matchBlocks = {
-      matchBlocks = {
+      "karaolidis.com" = {
-        "karaolidis.com" = {
+        hostname = "karaolidis.com";
-          hostname = "karaolidis.com";
+        user = "nick";
-          user = "nick";
+        identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-          identitiesOnly = true;
-        };
-
-        "github.com" = {
-          hostname = "github.com";
-          user = "git";
-          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-          identitiesOnly = true;
-        };
-
-        "gitlab.com" = {
-          hostname = "gitlab.com";
-          user = "git";
-          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-          identitiesOnly = true;
-        };
       };
 
-      userKnownHostsFile = builtins.concatStringsSep " " (
+      "tunnel.karaolidis.com" = {
-        with pkgs.sshKnownHosts;
+        hostname = "tunnel.karaolidis.com";
-        [
+        user = "nick";
-          "${home}/.ssh/known_hosts"
+        port = 2222;
-          github
+        identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-          gitlab
+      };
-        ]
+
-      );
+      "github.com" = {
+        hostname = "github.com";
+        user = "git";
+        identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+        userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.github;
+      };
+
+      "gitlab.com" = {
+        hostname = "gitlab.com";
+        user = "git";
+        identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+        userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitlab;
+      };
+
+      "gitea.com" = {
+        hostname = "gitea.com";
+        user = "git";
+        identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+        userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitea;
+      };
     };
   };
 }

hosts/installer/users/nick/default.nix

@@ -14,6 +14,7 @@ in
   imports = [
     (import ../../../common/configs/user { inherit user home; })
 
+    (import ../../../common/configs/user/console/attic { inherit user home; })
     (import ../../../common/configs/user/console/brightnessctl { inherit user home; })
     (import ../../../common/configs/user/console/btop { inherit user home; })
     (import ../../../common/configs/user/console/fastfetch { inherit user home; })
@@ -31,11 +32,11 @@ in
     (import ../../../common/configs/user/console/sops { inherit user home; })
     (import ../../../common/configs/user/console/ssh { inherit user home; })
     (import ../../../common/configs/user/console/ssh-agent { inherit user home; })
-    (import ../../../common/configs/user/console/tmux { inherit user home; })
     (import ../../../common/configs/user/console/tree { inherit user home; })
     (import ../../../common/configs/user/console/wget { inherit user home; })
     (import ../../../common/configs/user/console/xdg { inherit user home; })
     (import ../../../common/configs/user/console/yazi { inherit user home; })
+    (import ../../../common/configs/user/console/zellij { inherit user home; })
     (import ../../../common/configs/user/console/zoxide { inherit user home; })
     (import ../../../common/configs/user/console/zsh { inherit user home; })
 
@@ -63,6 +64,7 @@ in
     ];
     linger = true;
     uid = lib.strings.toInt (builtins.readFile ./uid);
+    openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/domains/personal/id_ed25519.pub" ];
   };
 
   services.getty.autologinUser = user;

hosts/jupiter-vps/README.md

@@ -2,7 +2,7 @@
 
 ## Installation Instructions
 
-1. Provision an OVHcloud VPS (ideally running Ubuntu).
+1. Provision an OVHcloud VPS (ideally running Ubuntu)
 2. Add personal public key
 3. Add a CNAME entry for `vps.karaolidis.com` pointing to the VPS IP/host
 4. Run `hosts/jupiter-vps/install.sh`

hosts/jupiter-vps/install.sh

@@ -12,6 +12,6 @@ cleanup() {
 trap cleanup EXIT
 
 install -d -m 755 "$temp/etc/ssh"
-cp ./secrets/hosts/jupiter-vps/ssh_host_ed25519_key "$temp/etc/ssh/ssh_host_ed25519_key"
+cp ./submodules/secrets/hosts/jupiter-vps/ssh_host_ed25519_key "$temp/etc/ssh/ssh_host_ed25519_key"
 
 nix run github:nix-community/nixos-anywhere -- --flake .#jupiter-vps --extra-files "$temp" --target-host ubuntu@vps.karaolidis.com -i ~/.ssh/ssh_personal_ed25519_key

hosts/jupiter/hardware/default.nix

@@ -93,6 +93,6 @@
     xserver.videoDrivers = [ "nvidia" ];
     fstrim.enable = true;
     tlp.settings.DISK_DEVICES = lib.mkDefault "nvme0n1 nvme1n1";
-    logind.lidSwitch = "ignore";
+    logind.settings.Login.HandleLidSwitch = "ignore";
   };
 }

hosts/jupiter/users/nick/default.nix

@@ -14,6 +14,7 @@ in
   imports = [
     (import ../../../common/configs/user { inherit user home; })
 
+    (import ../../../common/configs/user/console/attic { inherit user home; })
     (import ../../../common/configs/user/console/brightnessctl { inherit user home; })
     (import ../../../common/configs/user/console/btop { inherit user home; })
     (import ../../../common/configs/user/console/fastfetch { inherit user home; })
@@ -30,11 +31,11 @@ in
     (import ../../../common/configs/user/console/ouch { inherit user home; })
     (import ../../../common/configs/user/console/podman { inherit user home; })
     (import ../../../common/configs/user/console/sops { inherit user home; })
-    (import ../../../common/configs/user/console/tmux { inherit user home; })
     (import ../../../common/configs/user/console/tree { inherit user home; })
     (import ../../../common/configs/user/console/wget { inherit user home; })
     (import ../../../common/configs/user/console/xdg { inherit user home; })
     (import ../../../common/configs/user/console/yazi { inherit user home; })
+    (import ../../../common/configs/user/console/zellij { inherit user home; })
     (import ../../../common/configs/user/console/zoxide { inherit user home; })
     (import ../../../common/configs/user/console/zsh { inherit user home; })
 

hosts/jupiter/users/storm/configs/console/podman/attic/default.nix

@@ -0,0 +1,127 @@
+{ user, home }:
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
+let
+  hmConfig = config.home-manager.users.${user};
+  inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
+in
+{
+  home-manager.users.${user} = {
+    sops = {
+      secrets = {
+        "attic/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "attic/rs256".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "attic/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+      };
+
+      templates = {
+        attic-postgresql-env.content = ''
+          POSTGRES_PASSWORD=${hmConfig.sops.placeholder."attic/postgresql"}
+        '';
+
+        attic-env.content = ''
+          ATTIC_TOKEN=${hmConfig.sops.placeholder."attic/admin"}
+        '';
+
+        attic.content = builtins.readFile (
+          (pkgs.formats.toml { }).generate "server.toml" {
+            listen = "[::]:8080";
+
+            allowed-hosts = [ "nix.karaolidis.com" ];
+            api-endpoint = "https://nix.karaolidis.com/";
+
+            database.url = "postgres://attic:${
+              hmConfig.sops.placeholder."attic/postgresql"
+            }@attic-postgresql:5432/attic";
+
+            storage = {
+              type = "local";
+              path = "/var/lib/attic";
+            };
+
+            chunking = {
+              nar-size-threshold = 65536;
+              min-size = 16384;
+              avg-size = 65536;
+              max-size = 262144;
+            };
+
+            compression = {
+              type = "zstd";
+              level = 8;
+            };
+
+            garbage-collection = {
+              interval = "12 hours";
+              default-retention-period = "1 month";
+            };
+
+            jwt.signing.token-rs256-secret-base64 = hmConfig.sops.placeholder."attic/rs256";
+          }
+        );
+      };
+    };
+
+    systemd.user.tmpfiles.rules = [
+      "d /mnt/storage/private/storm/containers/storage/volumes/attic/_data 700 storm storm"
+    ];
+
+    virtualisation.quadlet = {
+      networks.attic = { };
+
+      volumes.attic-postgresql = { };
+
+      containers = {
+        attic = {
+          containerConfig = {
+            image = "docker-archive:${pkgs.dockerImages.attic}";
+            networks = [
+              networks.attic.ref
+              networks.traefik.ref
+            ];
+            volumes = [
+              "/mnt/storage/private/storm/containers/storage/volumes/attic/_data:/var/lib/attic"
+              "${hmConfig.sops.templates.attic.path}:/etc/attic/server.toml"
+            ];
+            environmentFiles = [ hmConfig.sops.templates.attic-env.path ];
+            exec = [
+              "--config"
+              "/etc/attic/server.toml"
+            ];
+            labels = [
+              "traefik.enable=true"
+              "traefik.http.routers.attic.rule=Host(`nix.karaolidis.com`)"
+            ];
+          };
+
+          unitConfig = {
+            After = [
+              "${containers.attic-postgresql._serviceName}.service"
+              "sops-nix.service"
+            ];
+            Requires = [ "${containers.attic-postgresql._serviceName}.service" ];
+          };
+        };
+
+        attic-postgresql = {
+          containerConfig = {
+            image = "docker-archive:${pkgs.dockerImages.postgresql}";
+            networks = [ networks.attic.ref ];
+            volumes = [ "${volumes.attic-postgresql.ref}:/var/lib/postgresql/data" ];
+            environments = {
+              POSTGRES_DB = "attic";
+              POSTGRES_USER = "attic";
+            };
+            environmentFiles = [ hmConfig.sops.templates.attic-postgresql-env.path ];
+          };
+
+          unitConfig.After = [ "sops-nix.service" ];
+        };
+      };
+    };
+  };
+}

hosts/jupiter/users/storm/configs/console/podman/attic/post-start.sh

@@ -0,0 +1,22 @@
+# shellcheck shell=sh
+
+attic login main https://nix.karaolidis.com/ "$ATTIC_TOKEN"
+
+CACHE_NAME="main"
+
+while true; do
+  out=$(attic cache info "$CACHE_NAME" 2>&1)
+  status=$?
+
+  if [ $status -eq 0 ]; then
+    break
+  elif echo "$out" | grep -q "NoSuchCache"; then
+    attic cache create "$CACHE_NAME"
+  elif echo "$out" | grep -q "404"; then
+    sleep 0.1
+  else
+    echo "Unexpected error:"
+    echo "$out"
+    break
+  fi
+done

hosts/jupiter/users/storm/configs/console/podman/default.nix

@@ -10,6 +10,7 @@ let
 in
 {
   imports = [
+    (import ./attic { inherit user home; })
     (import ./authelia { inherit user home; })
     (import ./gitea { inherit user home; })
     (import ./grafana { inherit user home; })

hosts/jupiter/users/storm/configs/console/podman/grafana/dashboards/traefik.json

@@ -0,0 +1,872 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "id": 2,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": 0
+              }
+            ]
+          },
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 6,
+        "w": 4,
+        "x": 0,
+        "y": 0
+      },
+      "id": 9,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "percentChangeColorMode": "standard",
+        "reduceOptions": {
+          "calcs": ["lastNotNull"],
+          "fields": "",
+          "values": false
+        },
+        "showPercentChange": false,
+        "textMode": "auto",
+        "wideLayout": true
+      },
+      "pluginVersion": "12.1.1",
+      "targets": [
+        {
+          "editorMode": "code",
+          "expr": "sum(increase(traefik_entrypoint_requests_bytes_total{hostname=\"$hostname\"}[$__range]))",
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Requests Received",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "normal"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": 0
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 12,
+        "w": 10,
+        "x": 4,
+        "y": 0
+      },
+      "id": 3,
+      "options": {
+        "legend": {
+          "calcs": ["mean"],
+          "displayMode": "table",
+          "placement": "right",
+          "showLegend": true,
+          "sortBy": "Mean",
+          "sortDesc": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "pluginVersion": "12.1.1",
+      "targets": [
+        {
+          "editorMode": "code",
+          "expr": "rate(traefik_entrypoint_requests_total{hostname=\"$hostname\"}[$__rate_interval])",
+          "legendFormat": "{{entrypoint}}/{{protocol}}: {{method}}: {{code}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Entrypoint Requests",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "normal"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": 0
+              }
+            ]
+          },
+          "unit": "binBps"
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byFrameRefID",
+              "options": "B"
+            },
+            "properties": [
+              {
+                "id": "custom.transform",
+                "value": "negative-Y"
+              }
+            ]
+          }
+        ]
+      },
+      "gridPos": {
+        "h": 12,
+        "w": 10,
+        "x": 14,
+        "y": 0
+      },
+      "id": 2,
+      "options": {
+        "legend": {
+          "calcs": ["mean"],
+          "displayMode": "table",
+          "placement": "right",
+          "showLegend": true,
+          "sortBy": "Mean",
+          "sortDesc": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "pluginVersion": "12.1.1",
+      "targets": [
+        {
+          "editorMode": "code",
+          "expr": "rate(traefik_entrypoint_requests_bytes_total{hostname=\"$hostname\"}[$__rate_interval])",
+          "legendFormat": "req: {{entrypoint}}/{{protocol}}: {{method}}: {{code}}",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "editorMode": "code",
+          "expr": "rate(traefik_entrypoint_responses_bytes_total{hostname=\"$hostname\"}[$__rate_interval])",
+          "hide": false,
+          "instant": false,
+          "legendFormat": "res: {{entrypoint}}/{{protocol}}: {{method}}: {{code}}",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Entrypoint Bytes",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "thresholds"
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": 0
+              }
+            ]
+          },
+          "unit": "bytes"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 6,
+        "w": 4,
+        "x": 0,
+        "y": 6
+      },
+      "id": 10,
+      "options": {
+        "colorMode": "value",
+        "graphMode": "none",
+        "justifyMode": "auto",
+        "orientation": "auto",
+        "percentChangeColorMode": "standard",
+        "reduceOptions": {
+          "calcs": ["lastNotNull"],
+          "fields": "",
+          "values": false
+        },
+        "showPercentChange": false,
+        "textMode": "auto",
+        "wideLayout": true
+      },
+      "pluginVersion": "12.1.1",
+      "targets": [
+        {
+          "editorMode": "code",
+          "expr": "sum(increase(traefik_entrypoint_responses_bytes_total{hostname=\"$hostname\"}[$__range]))",
+          "legendFormat": "__auto",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Responses Sent",
+      "type": "stat"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "normal"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": 0
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 12,
+        "w": 12,
+        "x": 0,
+        "y": 12
+      },
+      "id": 5,
+      "options": {
+        "legend": {
+          "calcs": ["mean"],
+          "displayMode": "table",
+          "placement": "right",
+          "showLegend": true,
+          "sortBy": "Mean",
+          "sortDesc": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "pluginVersion": "12.1.1",
+      "targets": [
+        {
+          "editorMode": "code",
+          "expr": "rate(traefik_service_requests_total{hostname=\"$hostname\"}[$__rate_interval])",
+          "legendFormat": "{{service}}/{{protocol}}: {{method}}: {{code}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Service Requests",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "normal"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": 0
+              }
+            ]
+          },
+          "unit": "binBps"
+        },
+        "overrides": [
+          {
+            "matcher": {
+              "id": "byFrameRefID",
+              "options": "B"
+            },
+            "properties": [
+              {
+                "id": "custom.transform",
+                "value": "negative-Y"
+              }
+            ]
+          }
+        ]
+      },
+      "gridPos": {
+        "h": 12,
+        "w": 12,
+        "x": 12,
+        "y": 12
+      },
+      "id": 7,
+      "options": {
+        "legend": {
+          "calcs": ["mean"],
+          "displayMode": "table",
+          "placement": "right",
+          "showLegend": true,
+          "sortBy": "Mean",
+          "sortDesc": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "pluginVersion": "12.1.1",
+      "targets": [
+        {
+          "editorMode": "code",
+          "expr": "rate(traefik_service_requests_bytes_total{hostname=\"$hostname\"}[$__rate_interval])",
+          "legendFormat": "req: {{service}}/{{protocol}}: {{method}}: {{code}}",
+          "range": true,
+          "refId": "A"
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "prometheus"
+          },
+          "editorMode": "code",
+          "expr": "rate(traefik_service_responses_bytes_total{hostname=\"$hostname\"}[$__rate_interval])",
+          "hide": false,
+          "instant": false,
+          "legendFormat": "res: {{service}}/{{protocol}}: {{method}}: {{code}}",
+          "range": true,
+          "refId": "B"
+        }
+      ],
+      "title": "Service Bytes",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "normal"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": 0
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 12,
+        "w": 6,
+        "x": 0,
+        "y": 24
+      },
+      "id": 8,
+      "options": {
+        "legend": {
+          "calcs": ["mean"],
+          "displayMode": "table",
+          "placement": "right",
+          "showLegend": true,
+          "sortBy": "Mean",
+          "sortDesc": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "pluginVersion": "12.1.1",
+      "targets": [
+        {
+          "editorMode": "code",
+          "expr": "rate(authelia_request{hostname=\"$hostname\"}[$__rate_interval])",
+          "legendFormat": "{{method}}: {{code}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Auth Requests",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "type": "linear"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": 0
+              }
+            ]
+          }
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 12,
+        "w": 6,
+        "x": 6,
+        "y": 24
+      },
+      "id": 4,
+      "options": {
+        "legend": {
+          "calcs": [],
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "pluginVersion": "12.1.1",
+      "targets": [
+        {
+          "editorMode": "code",
+          "expr": "traefik_open_connections{hostname=\"$hostname\"}",
+          "legendFormat": "{{entrypoint}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Connections",
+      "type": "timeseries"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "axisBorderShow": false,
+            "axisCenteredZero": false,
+            "axisColorMode": "text",
+            "axisLabel": "",
+            "axisPlacement": "auto",
+            "barAlignment": 0,
+            "barWidthFactor": 0.6,
+            "drawStyle": "line",
+            "fillOpacity": 10,
+            "gradientMode": "none",
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            },
+            "insertNulls": false,
+            "lineInterpolation": "linear",
+            "lineWidth": 1,
+            "pointSize": 5,
+            "scaleDistribution": {
+              "log": 2,
+              "type": "log"
+            },
+            "showPoints": "auto",
+            "spanNulls": false,
+            "stacking": {
+              "group": "A",
+              "mode": "none"
+            },
+            "thresholdsStyle": {
+              "mode": "off"
+            }
+          },
+          "mappings": [],
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": 0
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "s"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 12,
+        "w": 12,
+        "x": 12,
+        "y": 24
+      },
+      "id": 6,
+      "options": {
+        "legend": {
+          "calcs": ["mean"],
+          "displayMode": "table",
+          "placement": "right",
+          "showLegend": true,
+          "sortBy": "Mean",
+          "sortDesc": true
+        },
+        "tooltip": {
+          "hideZeros": false,
+          "mode": "multi",
+          "sort": "desc"
+        }
+      },
+      "pluginVersion": "12.1.1",
+      "targets": [
+        {
+          "editorMode": "code",
+          "expr": "sum by(service) (rate(traefik_service_request_duration_seconds_sum{hostname=\"$hostname\"}[$__rate_interval]))\n",
+          "legendFormat": "{{service}}",
+          "range": true,
+          "refId": "A"
+        }
+      ],
+      "title": "Request Duration",
+      "type": "timeseries"
+    }
+  ],
+  "preload": false,
+  "refresh": "30s",
+  "schemaVersion": 41,
+  "tags": [],
+  "templating": {
+    "list": [
+      {
+        "current": {
+          "text": "jupiter",
+          "value": "jupiter"
+        },
+        "definition": "label_values(hostname)",
+        "name": "hostname",
+        "options": [],
+        "query": {
+          "qryType": 1,
+          "query": "label_values(hostname)",
+          "refId": "PrometheusVariableQueryEditor-VariableQuery"
+        },
+        "refresh": 1,
+        "regex": "",
+        "type": "query"
+      }
+    ]
+  },
+  "time": {
+    "from": "now-1h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "browser",
+  "title": "Traefik",
+  "uid": "9789120c-ed69-448a-9ef8-77e73b5a25e2",
+  "version": 7
+}

hosts/jupiter/users/storm/configs/console/podman/grafana/default.nix

@@ -127,7 +127,27 @@ in
               networks.grafana.ref
               networks.traefik.ref
             ];
-            volumes = [ "${hmConfig.sops.templates.grafana.path}:/etc/grafana/grafana.ini" ];
+            volumes =
+              let
+                dashboards = (pkgs.formats.yaml { }).generate "default.yaml" {
+                  apiVersion = 1;
+
+                  providers = [
+                    {
+                      name = "Default";
+                      folder = "";
+                      type = "file";
+                      url = "http://prometheus:9090";
+                      options.path = "/var/lib/grafana/dashboards";
+                    }
+                  ];
+                };
+              in
+              [
+                "${hmConfig.sops.templates.grafana.path}:/etc/grafana/grafana.ini:ro"
+                "${dashboards}:/etc/grafana/conf/provisioning/dashboards/default.yaml:ro"
+                "${./dashboards}:/var/lib/grafana/dashboards:ro"
+              ];
             labels = [
               "traefik.enable=true"
               "traefik.http.routers.grafana.rule=Host(`stats.karaolidis.com`)"

hosts/jupiter/users/storm/configs/console/podman/sish/default.nix

@@ -11,7 +11,15 @@ let
   inherit (hmConfig.virtualisation.quadlet) networks;
 in
 {
-  networking.firewall.allowedTCPPorts = [ 2222 ];
+  networking.firewall = {
+    allowedTCPPorts = [ 2222 ];
+    allowedTCPPortRanges = [
+      {
+        from = 61000;
+        to = 61999;
+      }
+    ];
+  };
 
   home-manager.users.${user} = {
     sops.secrets."sish/ssh/key".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
@@ -32,7 +40,6 @@ in
                 name = "authorized_keys";
                 text = lib.strings.concatStringsSep "\n" [
                   (builtins.readFile "${inputs.secrets}/domains/personal/id_ed25519.pub")
-                  (builtins.readFile "${inputs.secrets}/domains/sas/id_globalprotect_ed25519.pub")
                 ];
               };
             in
@@ -45,7 +52,10 @@ in
             "traefik.http.routers.sish.rule=HostRegexp(`^(.+\.)?tunnel\.karaolidis\.com$`)"
             "traefik.http.services.sish.loadbalancer.server.port=80"
           ];
-          publishPorts = [ "2222:2222/tcp" ];
+          publishPorts = [
+            "2222:2222/tcp"
+            "61000-61999:61000-61999/tcp"
+          ];
           exec = [
             "--ssh-address=0.0.0.0:2222"
             "--http-address=0.0.0.0:80"
@@ -56,9 +66,11 @@ in
             "--bind-random-ports=false"
             "--bind-random-aliases=false"
             "--bind-random-subdomains=false"
+            "--port-bind-range=61000-61999"
             "--welcome-message=\"\""
             "--domain=tunnel.karaolidis.com"
             "--proxy-ssl-termination=true"
+            "--idle-connection=false"
           ];
         };
 

hosts/jupiter/users/storm/default.nix

@@ -14,15 +14,16 @@ in
   imports = [
     (import ../../../common/configs/user { inherit user home; })
 
+    (import ../../../common/configs/user/console/attic { inherit user home; })
     (import ../../../common/configs/user/console/brightnessctl { inherit user home; })
     (import ../../../common/configs/user/console/btop { inherit user home; })
     (import ../../../common/configs/user/console/home-manager { inherit user home; })
     (import ../../../common/configs/user/console/neovim { inherit user home; })
     (import ../../../common/configs/user/console/podman { inherit user home; })
     (import ../../../common/configs/user/console/sops { inherit user home; })
-    (import ../../../common/configs/user/console/tmux { inherit user home; })
     (import ../../../common/configs/user/console/tree { inherit user home; })
     (import ../../../common/configs/user/console/yazi { inherit user home; })
+    (import ../../../common/configs/user/console/zellij { inherit user home; })
     (import ../../../common/configs/user/console/zoxide { inherit user home; })
     (import ../../../common/configs/user/console/zsh { inherit user home; })
 

overlays/attic-client/default.nix

@@ -0,0 +1,5 @@
+final: prev:
+# FIXME: https://github.com/zhaofengli/attic/pull/280
+prev.attic-client.overrideAttrs (oldAttrs: {
+  patches = oldAttrs.patches or [ ] ++ [ ./stdout-logging.patch ];
+})

overlays/attic-client/stdout-logging.patch

@@ -0,0 +1,321 @@
+diff --git a/client/src/command/cache.rs b/client/src/command/cache.rs
+index af01378..0602b3b 100644
+--- a/client/src/command/cache.rs
++++ b/client/src/command/cache.rs
+@@ -189,7 +189,7 @@ async fn create_cache(sub: Create) -> Result<()> {
+     };
+ 
+     api.create_cache(cache, request).await?;
+-    eprintln!(
++    println!(
+         "✨ Created cache \"{}\" on \"{}\"",
+         cache.as_str(),
+         server_name.as_str()
+@@ -239,7 +239,7 @@ async fn configure_cache(sub: Configure) -> Result<()> {
+     let api = ApiClient::from_server_config(server.clone())?;
+     api.configure_cache(cache, &patch).await?;
+ 
+-    eprintln!(
++    println!(
+         "✅ Configured \"{}\" on \"{}\"",
+         cache.as_str(),
+         server_name.as_str()
+@@ -254,12 +254,12 @@ async fn destroy_cache(sub: Destroy) -> Result<()> {
+     let (server_name, server, cache) = config.resolve_cache(&sub.cache)?;
+ 
+     if !sub.no_confirm {
+-        eprintln!("When you destory a cache:");
+-        eprintln!();
+-        eprintln!("1. Everyone will lose access.");
+-        eprintln!("2. The underlying data won't be deleted immediately.");
+-        eprintln!("3. You may not be able to create a cache of the same name.");
+-        eprintln!();
++        println!("When you destory a cache:");
++        println!();
++        println!("1. Everyone will lose access.");
++        println!("2. The underlying data won't be deleted immediately.");
++        println!("3. You may not be able to create a cache of the same name.");
++        println!();
+ 
+         let answer: String = Input::new()
+             .with_prompt(format!(
+@@ -278,7 +278,7 @@ async fn destroy_cache(sub: Destroy) -> Result<()> {
+     let api = ApiClient::from_server_config(server.clone())?;
+     api.destroy_cache(cache).await?;
+ 
+-    eprintln!("🗑️ The cache was destroyed.");
++    println!("🗑️ The cache was destroyed.");
+ 
+     Ok(())
+ }
+@@ -291,40 +291,40 @@ async fn show_cache_config(sub: Info) -> Result<()> {
+     let cache_config = api.get_cache_config(cache).await?;
+ 
+     if let Some(is_public) = cache_config.is_public {
+-        eprintln!("               Public: {}", is_public);
++        println!("               Public: {}", is_public);
+     }
+ 
+     if let Some(public_key) = cache_config.public_key {
+-        eprintln!("           Public Key: {}", public_key);
++        println!("           Public Key: {}", public_key);
+     }
+ 
+     if let Some(substituter_endpoint) = cache_config.substituter_endpoint {
+-        eprintln!("Binary Cache Endpoint: {}", substituter_endpoint);
++        println!("Binary Cache Endpoint: {}", substituter_endpoint);
+     }
+ 
+     if let Some(api_endpoint) = cache_config.api_endpoint {
+-        eprintln!("         API Endpoint: {}", api_endpoint);
++        println!("         API Endpoint: {}", api_endpoint);
+     }
+ 
+     if let Some(store_dir) = cache_config.store_dir {
+-        eprintln!("      Store Directory: {}", store_dir);
++        println!("      Store Directory: {}", store_dir);
+     }
+ 
+     if let Some(priority) = cache_config.priority {
+-        eprintln!("             Priority: {}", priority);
++        println!("             Priority: {}", priority);
+     }
+ 
+     if let Some(upstream_cache_key_names) = cache_config.upstream_cache_key_names {
+-        eprintln!("  Upstream Cache Keys: {:?}", upstream_cache_key_names);
++        println!("  Upstream Cache Keys: {:?}", upstream_cache_key_names);
+     }
+ 
+     if let Some(retention_period) = cache_config.retention_period {
+         match retention_period {
+             RetentionPeriodConfig::Period(period) => {
+-                eprintln!("     Retention Period: {:?}", period);
++                println!("     Retention Period: {:?}", period);
+             }
+             RetentionPeriodConfig::Global => {
+-                eprintln!("     Retention Period: Global Default");
++                println!("     Retention Period: Global Default");
+             }
+         }
+     }
+diff --git a/client/src/command/login.rs b/client/src/command/login.rs
+index 9abcea7..6cadd59 100644
+--- a/client/src/command/login.rs
++++ b/client/src/command/login.rs
+@@ -28,7 +28,7 @@ pub async fn run(opts: Opts) -> Result<()> {
+     let mut config_m = config.as_mut();
+ 
+     if let Some(server) = config_m.servers.get_mut(&sub.name) {
+-        eprintln!("✍️ Overwriting server \"{}\"", sub.name.as_str());
++        println!("✍️ Overwriting server \"{}\"", sub.name.as_str());
+ 
+         server.endpoint = sub.endpoint.to_owned();
+ 
+@@ -38,7 +38,7 @@ pub async fn run(opts: Opts) -> Result<()> {
+             });
+         }
+     } else {
+-        eprintln!("✍️ Configuring server \"{}\"", sub.name.as_str());
++        println!("✍️ Configuring server \"{}\"", sub.name.as_str());
+ 
+         config_m.servers.insert(
+             sub.name.to_owned(),
+diff --git a/client/src/command/push.rs b/client/src/command/push.rs
+index b2bb661..5d39549 100644
+--- a/client/src/command/push.rs
++++ b/client/src/command/push.rs
+@@ -91,7 +91,7 @@ impl PushContext {
+ 
+             return Ok(());
+         } else {
+-            eprintln!("⚙️ Pushing {num_missing_paths} paths to \"{cache}\" on \"{server}\" ({num_already_cached} already cached, {num_upstream} in upstream)...",
++            println!("⚙️ Pushing {num_missing_paths} paths to \"{cache}\" on \"{server}\" ({num_already_cached} already cached, {num_upstream} in upstream)...",
+                 cache = self.cache_name.as_str(),
+                 server = self.server_name.as_str(),
+                 num_missing_paths = plan.store_path_map.len(),
+diff --git a/client/src/command/use.rs b/client/src/command/use.rs
+index 37d8cd6..d87f65e 100644
+--- a/client/src/command/use.rs
++++ b/client/src/command/use.rs
+@@ -34,15 +34,15 @@ pub async fn run(opts: Opts) -> Result<()> {
+     let public_key = cache_config.public_key
+         .ok_or_else(|| anyhow!("The server did not tell us which public key it uses. Is signing managed by the client?"))?;
+ 
+-    eprintln!(
++    println!(
+         "Configuring Nix to use \"{cache}\" on \"{server_name}\":",
+         cache = cache.as_str(),
+         server_name = server_name.as_str(),
+     );
+ 
+     // Modify nix.conf
+-    eprintln!("+ Substituter: {}", substituter);
+-    eprintln!("+ Trusted Public Key: {}", public_key);
++    println!("+ Substituter: {}", substituter);
++    println!("+ Trusted Public Key: {}", public_key);
+ 
+     let mut nix_config = NixConfig::load().await?;
+     nix_config.add_substituter(&substituter);
+@@ -50,7 +50,7 @@ pub async fn run(opts: Opts) -> Result<()> {
+ 
+     // Modify netrc
+     if let Some(token) = server.token()? {
+-        eprintln!("+ Access Token");
++        println!("+ Access Token");
+ 
+         let mut nix_netrc = NixNetrc::load().await?;
+         let host = Url::parse(&substituter)?
+diff --git a/client/src/command/watch_store.rs b/client/src/command/watch_store.rs
+index 24eaf7a..aec0c33 100644
+--- a/client/src/command/watch_store.rs
++++ b/client/src/command/watch_store.rs
+@@ -91,7 +91,7 @@ pub async fn run(opts: Opts) -> Result<()> {
+ 
+     watcher.watch(&store_dir, RecursiveMode::NonRecursive)?;
+ 
+-    eprintln!(
++    println!(
+         "👀 Pushing new store paths to \"{cache}\" on \"{server}\"",
+         cache = cache.as_str(),
+         server = server_name.as_str(),
+diff --git a/client/src/push.rs b/client/src/push.rs
+index 309bd4b..2fea414 100644
+--- a/client/src/push.rs
++++ b/client/src/push.rs
+@@ -595,7 +595,7 @@ pub async fn upload_path(
+             };
+ 
+             mp.suspend(|| {
+-                eprintln!(
++                println!(
+                     "✅ {} ({})",
+                     path.as_os_str().to_string_lossy(),
+                     info_string
+diff --git a/server/src/database/migration/m20230112_000004_migrate_nar_remote_files_to_chunks.rs b/server/src/database/migration/m20230112_000004_migrate_nar_remote_files_to_chunks.rs
+index 42d70a6..6bbe585 100644
+--- a/server/src/database/migration/m20230112_000004_migrate_nar_remote_files_to_chunks.rs
++++ b/server/src/database/migration/m20230112_000004_migrate_nar_remote_files_to_chunks.rs
+@@ -24,7 +24,7 @@ impl MigrationTrait for Migration {
+         // When this migration is run, we assume that there are no
+         // preexisting chunks.
+ 
+-        eprintln!("* Migrating NARs to chunks...");
++        println!("* Migrating NARs to chunks...");
+ 
+         // Add a temporary column into `chunk` to store the related `nar_id`.
+         manager
+diff --git a/server/src/database/migration/m20230112_000005_drop_old_nar_columns.rs b/server/src/database/migration/m20230112_000005_drop_old_nar_columns.rs
+index 9d29b66..7436b4a 100644
+--- a/server/src/database/migration/m20230112_000005_drop_old_nar_columns.rs
++++ b/server/src/database/migration/m20230112_000005_drop_old_nar_columns.rs
+@@ -16,7 +16,7 @@ impl MigrationName for Migration {
+ #[async_trait::async_trait]
+ impl MigrationTrait for Migration {
+     async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+-        eprintln!("* Migrating NAR schema...");
++        println!("* Migrating NAR schema...");
+ 
+         if manager.get_database_backend() == DatabaseBackend::Sqlite {
+             // Just copy all data to a new table
+diff --git a/server/src/lib.rs b/server/src/lib.rs
+index 0314e69..89644e1 100644
+--- a/server/src/lib.rs
++++ b/server/src/lib.rs
+@@ -217,7 +217,7 @@ async fn fallback(_: Uri) -> ServerResult<()> {
+ 
+ /// Runs the API server.
+ pub async fn run_api_server(cli_listen: Option<SocketAddr>, config: Config) -> Result<()> {
+-    eprintln!("Starting API server...");
++    println!("Starting API server...");
+ 
+     let state = StateInner::new(config).await;
+ 
+@@ -239,7 +239,7 @@ pub async fn run_api_server(cli_listen: Option<SocketAddr>, config: Config) -> R
+         .layer(TraceLayer::new_for_http())
+         .layer(CatchPanicLayer::new());
+ 
+-    eprintln!("Listening on {:?}...", listen);
++    println!("Listening on {:?}...", listen);
+ 
+     let listener = TcpListener::bind(&listen).await?;
+ 
+@@ -256,7 +256,7 @@ pub async fn run_api_server(cli_listen: Option<SocketAddr>, config: Config) -> R
+ 
+ /// Runs database migrations.
+ pub async fn run_migrations(config: Config) -> Result<()> {
+-    eprintln!("Running migrations...");
++    println!("Running migrations...");
+ 
+     let state = StateInner::new(config).await;
+     let db = state.database().await?;
+diff --git a/server/src/main.rs b/server/src/main.rs
+index c5f08df..3a37c23 100644
+--- a/server/src/main.rs
++++ b/server/src/main.rs
+@@ -121,14 +121,14 @@ fn init_logging(tokio_console: bool) {
+         .init();
+ 
+     if tokio_console {
+-        eprintln!("Note: tokio-console is enabled");
++        println!("Note: tokio-console is enabled");
+     }
+ }
+ 
+ fn dump_version() {
+     #[cfg(debug_assertions)]
+-    eprintln!("Attic Server {} (debug)", env!("CARGO_PKG_VERSION"));
++    println!("Attic Server {} (debug)", env!("CARGO_PKG_VERSION"));
+ 
+     #[cfg(not(debug_assertions))]
+-    eprintln!("Attic Server {} (release)", env!("CARGO_PKG_VERSION"));
++    println!("Attic Server {} (release)", env!("CARGO_PKG_VERSION"));
+ }
+diff --git a/server/src/oobe.rs b/server/src/oobe.rs
+index d3d912d..98ef88c 100644
+--- a/server/src/oobe.rs
++++ b/server/src/oobe.rs
+@@ -77,25 +77,25 @@ pub async fn run_oobe() -> Result<()> {
+         token.encode(&SignatureType::RS256(key), &None, &None)?
+     };
+ 
+-    eprintln!();
+-    eprintln!("-----------------");
+-    eprintln!("Welcome to Attic!");
+-    eprintln!();
+-    eprintln!("A simple setup using SQLite and local storage has been configured for you in:");
+-    eprintln!();
+-    eprintln!("    {}", config_path.to_str().unwrap());
+-    eprintln!();
+-    eprintln!("Run the following command to log into this server:");
+-    eprintln!();
+-    eprintln!("    attic login local http://localhost:8080 {root_token}");
+-    eprintln!();
+-    eprintln!("Documentations and guides:");
+-    eprintln!();
+-    eprintln!("    https://docs.attic.rs");
+-    eprintln!();
+-    eprintln!("Enjoy!");
+-    eprintln!("-----------------");
+-    eprintln!();
++    println!();
++    println!("-----------------");
++    println!("Welcome to Attic!");
++    println!();
++    println!("A simple setup using SQLite and local storage has been configured for you in:");
++    println!();
++    println!("    {}", config_path.to_str().unwrap());
++    println!();
++    println!("Run the following command to log into this server:");
++    println!();
++    println!("    attic login local http://localhost:8080 {root_token}");
++    println!();
++    println!("Documentations and guides:");
++    println!();
++    println!("    https://docs.attic.rs");
++    println!();
++    println!("Enjoy!");
++    println!("-----------------");
++    println!();
+ 
+     Ok(())
+ }

overlays/default.nix

@@ -1,17 +1,19 @@
 final: prev:
 {
   android-tools = import ./android-tools final prev;
+  attic-client = import ./attic-client final prev;
   darktable = import ./darktable final prev;
   hyprland = import ./hyprland final prev;
   mpv = import ./mpv final prev;
-  ncspot = import ./ncspot final prev;
   spicetify-cli = import ./spicetify-cli final prev;
+  tea = import ./tea final prev;
   telepresence = import ./telepresence final prev;
 }
 // (import ../packages { pkgs = final; })
 // {
   dockerImages = prev.dockerImages or { } // {
     adguardhome = final.docker-image-adguardhome;
+    attic = final.docker-image-attic;
     authelia = final.docker-image-authelia;
     base = final.docker-image-base;
     comentario = final.docker-image-comentario;
@@ -82,6 +84,7 @@ final: prev:
   };
 
   sshKnownHosts = prev.sshKnownHosts or { } // {
+    gitea = final.ssh-known-hosts-gitea;
     github = final.ssh-known-hosts-github;
     gitlab = final.ssh-known-hosts-gitlab;
   };

overlays/ncspot/default.nix

@@ -1,15 +0,0 @@
-final: prev:
-# FIXME: https://github.com/hrkfdn/ncspot/issues/1681#issuecomment-3186274719
-prev.ncspot.overrideAttrs (oldAttrs: rec {
-  src = prev.fetchFromGitHub {
-    owner = "hrkfdn";
-    repo = "ncspot";
-    rev = "aac67d631f25bbc79f509d34aa85e6daff954830";
-    hash = "sha256-B6BA1ksfDEySZH6gzkU5khOzwXAmeHbMHsx3sXd9lbs=";
-  };
-
-  cargoDeps = prev.rustPlatform.fetchCargoVendor {
-    inherit src;
-    hash = "sha256-HrQJiIzSvu/vR03UdnCcU6TGToBDKKDC6XscjvX3KPE=";
-  };
-})

overlays/tea/default.nix

@@ -0,0 +1,10 @@
+final: prev:
+prev.tea.overrideAttrs (oldAttrs: {
+  patches = oldAttrs.patches or [ ] ++ [
+    (builtins.fetchurl {
+      url = "https://gitea.com/gitea/tea/pulls/639.patch";
+      sha256 = "sha256:0c5gpi6aajd3h0wp7lrvj5qk9wsqhgbap7ijvl0x117v0g8mgzvs";
+    })
+    ./instance-ssh-host-env.patch
+  ];
+})

overlays/tea/instance-ssh-host-env.patch

@@ -0,0 +1,174 @@
+diff --git a/modules/config/login.go b/modules/config/login.go
+index 3b77fb9..94de9cd 100644
+--- a/modules/config/login.go
++++ b/modules/config/login.go
+@@ -13,6 +13,7 @@ import (
+ 	"net/http/cookiejar"
+ 	"net/url"
+ 	"os"
++	"strconv"
+ 	"strings"
+ 	"time"
+ 
+@@ -200,6 +201,63 @@ func UpdateLogin(login *Login) error {
+ 	return saveConfig()
+ }
+ 
++// CreateLoginFromEnvVars returns a login based on environment variables, or nil if no login can be created
++func CreateLoginFromEnvVars() (*Login, error) {
++	var token string
++
++	giteaToken := os.Getenv("GITEA_TOKEN")
++	githubToken := os.Getenv("GH_TOKEN")
++	giteaInstanceURL := os.Getenv("GITEA_INSTANCE_URL")
++	instanceInsecure := os.Getenv("GITEA_INSTANCE_INSECURE")
++	giteaInstanceSSHHost := os.Getenv("GITEA_INSTANCE_SSH_HOST")
++	insecure := false
++	if len(instanceInsecure) > 0 {
++		insecure, _ = strconv.ParseBool(instanceInsecure)
++	}
++
++	// if no tokens are set, or no instance url for gitea fail fast
++	if len(giteaInstanceURL) == 0 || (len(giteaToken) == 0 && len(githubToken) == 0) {
++		return nil, nil
++	}
++
++	token = giteaToken
++	if len(giteaToken) == 0 {
++		token = githubToken
++	}
++
++	login := &Login{
++		Name:              "GITEA_LOGIN_VIA_ENV",
++		URL:               giteaInstanceURL,
++		Token:             token,
++		SSHHost:           giteaInstanceSSHHost,
++		Insecure:          insecure,
++		SSHKey:            "",
++		SSHCertPrincipal:  "",
++		SSHKeyFingerprint: "",
++		SSHAgent:          false,
++		VersionCheck:      true,
++		Created:           time.Now().Unix(),
++	}
++
++	client := login.Client()
++	u, _, err := client.GetMyUserInfo()
++	if err != nil {
++		return nil, fmt.Errorf("failed to validate token: %s", err)
++	}
++
++	login.User = u.UserName
++
++	if login.SSHHost == "" {
++		parsedURL, err := url.Parse(giteaInstanceURL)
++		if err != nil {
++			return nil, err
++		}
++		login.SSHHost = parsedURL.Host
++	}
++
++	return login, nil
++}
++
+ // Client returns a client to operate Gitea API. You may provide additional modifiers
+ // for the client like gitea.SetBasicAuth() for customization
+ func (l *Login) Client(options ...gitea.ClientOption) *gitea.Client {
+diff --git a/modules/context/context.go b/modules/context/context.go
+index aec5592..636eeec 100644
+--- a/modules/context/context.go
++++ b/modules/context/context.go
+@@ -9,9 +9,7 @@ import (
+ 	"log"
+ 	"os"
+ 	"path"
+-	"strconv"
+ 	"strings"
+-	"time"
+ 
+ 	"code.gitea.io/tea/modules/config"
+ 	"code.gitea.io/tea/modules/git"
+@@ -108,16 +106,6 @@ func InitCommand(cmd *cli.Command) *TeaContext {
+ 		c.RepoSlug = repoFlag
+ 	}
+ 
+-	// override config user with env variable
+-	envLogin := GetLoginByEnvVar()
+-	if envLogin != nil {
+-		_, err := utils.ValidateAuthenticationMethod(envLogin.URL, envLogin.Token, "", "", false, "", "")
+-		if err != nil {
+-			log.Fatal(err.Error())
+-		}
+-		c.Login = envLogin
+-	}
+-
+ 	// override login from flag, or use default login if repo based detection failed
+ 	if len(loginFlag) != 0 {
+ 		c.Login = config.GetLoginByName(loginFlag)
+@@ -196,10 +184,25 @@ func contextFromLocalRepo(repoPath, remoteValue string) (*git.TeaRepo, *config.L
+ 		return repo, nil, "", fmt.Errorf("Remote '%s' not found in this Git repository", remoteValue)
+ 	}
+ 
++	envLogin, err := config.CreateLoginFromEnvVars()
++	if err != nil {
++		log.Fatal(err.Error())
++	}
++
+ 	logins, err := config.GetLogins()
+ 	if err != nil {
+ 		return repo, nil, "", err
+ 	}
++
++	if envLogin != nil {
++		_, err := utils.ValidateAuthenticationMethod(envLogin.URL, envLogin.Token, "", "", false, "", "")
++		if err != nil {
++			log.Fatal(err.Error())
++		}
++
++		logins = append([]config.Login{*envLogin}, logins...)
++	}
++
+ 	for _, l := range logins {
+ 		sshHost := l.GetSSHHost()
+ 		for _, u := range remoteConfig.URLs {
+@@ -223,40 +226,3 @@ func contextFromLocalRepo(repoPath, remoteValue string) (*git.TeaRepo, *config.L
+ 
+ 	return repo, nil, "", errNotAGiteaRepo
+ }
+-
+-// GetLoginByEnvVar returns a login based on environment variables, or nil if no login can be created
+-func GetLoginByEnvVar() *config.Login {
+-	var token string
+-
+-	giteaToken := os.Getenv("GITEA_TOKEN")
+-	githubToken := os.Getenv("GH_TOKEN")
+-	giteaInstanceURL := os.Getenv("GITEA_INSTANCE_URL")
+-	instanceInsecure := os.Getenv("GITEA_INSTANCE_INSECURE")
+-	insecure := false
+-	if len(instanceInsecure) > 0 {
+-		insecure, _ = strconv.ParseBool(instanceInsecure)
+-	}
+-
+-	// if no tokens are set, or no instance url for gitea fail fast
+-	if len(giteaInstanceURL) == 0 || (len(giteaToken) == 0 && len(githubToken) == 0) {
+-		return nil
+-	}
+-
+-	token = giteaToken
+-	if len(giteaToken) == 0 {
+-		token = githubToken
+-	}
+-
+-	return &config.Login{
+-		Name:              "GITEA_LOGIN_VIA_ENV",
+-		URL:               giteaInstanceURL,
+-		Token:             token,
+-		Insecure:          insecure,
+-		SSHKey:            "",
+-		SSHCertPrincipal:  "",
+-		SSHKeyFingerprint: "",
+-		SSHAgent:          false,
+-		Created:           time.Now().Unix(),
+-		VersionCheck:      false,
+-	}
+-}

packages/comentario/default.nix

@@ -2,14 +2,14 @@
 # AUTO-UPDATE: nix-update --flake comentario --version=branch=dev --subpackage frontend
 pkgs.buildGoModule (finalAttrs: {
   pname = "comentario";
-  version = "3.14.0-unstable-2025-08-08";
+  version = "3.14.0-unstable-2025-08-29";
 
   src = pkgs.fetchFromGitLab {
     owner = "comentario";
     repo = "comentario";
     # FIXME: Stable rev once type error is fixed
-    rev = "7380d55820827db82f9d191ad82cd35cdbf08cfa";
+    rev = "90773f976366318389f9d5aa457e6303e6159740";
-    hash = "sha256-uWpHrI4K/VfekW4PDaJXyqjyCGXbYnsGwV0OCSsfw3s=";
+    hash = "sha256-f0Y+OdbsG8eA2kD17b4QWaL0hAuoF476XtYm/aFOmLY=";
   };
 
   patches = [
@@ -37,7 +37,7 @@ pkgs.buildGoModule (finalAttrs: {
     missingHashes = ./missing-hashes.json;
     offlineCache = pkgs.yarn-berry.fetchYarnBerryDeps {
       inherit (finalFrontendAttrs) src patches missingHashes;
-      hash = "sha256-HGxWvdFDTCPoDD6ry30gfprvpDAMoQJ0RHMkCzOcVRs=";
+      hash = "sha256-bn/PNgk7ZjCzGSj7BQQCB+5RY+ivJGYZa2/GC4eRjPY=";
     };
 
     nativeBuildInputs = with pkgs; [

packages/darktable/lua-scripts/default.nix

@@ -2,13 +2,13 @@
 # AUTO-UPDATE: nix-update --flake --version=branch=master darktable-lua-scripts
 pkgs.stdenv.mkDerivation {
   pname = "lua-scripts";
-  version = "release-2.0.0-unstable-2025-07-05";
+  version = "release-2.0.0-unstable-2025-08-18";
 
   src = pkgs.fetchFromGitHub {
     owner = "darktable-org";
     repo = "lua-scripts";
-    rev = "aed3275943f218e559c58b98579ceafb02e220da";
+    rev = "c95547caa72f7b136b5192dd19a535da3fbe4e9b";
-    hash = "sha256-vRE0kxqbjdjwU+S0Eu44ctYulYPgD0XsrTsz1ESq6t0=";
+    hash = "sha256-Qt3DkmNH/ZWY3uI8UvhSM4dDt7KDQlJqOnPmsySGGwU=";
   };
 
   installPhase = ''

packages/default.nix

@@ -6,6 +6,7 @@
   darktable-lua-scripts = import ./darktable/lua-scripts { inherit pkgs; };
 
   docker-image-adguardhome = import ./docker/adguardhome { inherit pkgs; };
+  docker-image-attic = import ./docker/attic { inherit pkgs; };
   docker-image-authelia = import ./docker/authelia { inherit pkgs; };
   docker-image-base = import ./docker/base { inherit pkgs; };
   docker-image-comentario = import ./docker/comentario { inherit pkgs; };
@@ -86,8 +87,11 @@
   shlink = import ./shlink { inherit pkgs; };
   shlink-web-client = import ./shlink-web-client { inherit pkgs; };
 
+  ssh-known-hosts-gitea = import ./ssh/known-hosts/gitea { inherit pkgs; };
   ssh-known-hosts-github = import ./ssh/known-hosts/github { inherit pkgs; };
   ssh-known-hosts-gitlab = import ./ssh/known-hosts/gitlab { inherit pkgs; };
 
+  wsl-wl-clipboard = import ./wsl-wl-clipboard { inherit pkgs; };
+
   yazi-plugin-custom-shell = import ./yazi/plugins/custom-shell { inherit pkgs; };
 }

packages/docker/adguardhome/default.nix

@@ -9,7 +9,7 @@ let
 in
 pkgs.dockerTools.buildImage {
   name = "adguardhome";
-  fromImage = import ../base { inherit pkgs; };
+  fromImage = pkgs.docker-image-base;
 
   copyToRoot = pkgs.buildEnv {
     name = "root";

packages/docker/attic/default.nix

@@ -0,0 +1,34 @@
+{ pkgs, ... }:
+let
+  entrypoint = pkgs.writeTextFile {
+    name = "entrypoint";
+    executable = true;
+    destination = "/bin/entrypoint";
+    text = builtins.readFile ./entrypoint.sh;
+  };
+in
+pkgs.dockerTools.buildImage {
+  name = "attic";
+  fromImage = pkgs.docker-image-base;
+
+  copyToRoot = pkgs.buildEnv {
+    name = "root";
+    paths = with pkgs; [
+      entrypoint
+      attic-server
+      attic-client
+    ];
+    pathsToLink = [ "/bin" ];
+  };
+
+  config = {
+    Entrypoint = [ "entrypoint" ];
+    ExposedPorts = {
+      "8080/tcp" = { };
+    };
+    WorkingDir = "/var/lib/atticd";
+    Volumes = {
+      "/var/lib/atticd" = { };
+    };
+  };
+}

packages/docker/attic/entrypoint.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+
+set -o errexit
+set -o nounset
+
+atticd "$@" &
+PID=$!
+
+if [ -f /etc/attic/post-start.sh ]; then
+  # shellcheck disable=SC1091
+  . /etc/attic/post-start.sh
+fi
+
+trap 'kill -KILL "$PID"' INT TERM
+wait "$PID"
+exit $?

packages/docker/authelia/default.nix

@@ -9,7 +9,7 @@ let
 in
 pkgs.dockerTools.buildImage {
   name = "authelia";
-  fromImage = import ../base { inherit pkgs; };
+  fromImage = pkgs.docker-image-base;
 
   copyToRoot = pkgs.buildEnv {
     name = "root";

packages/docker/comentario/default.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 pkgs.dockerTools.buildImage {
   name = "comentario";
-  fromImage = import ../base { inherit pkgs; };
+  fromImage = pkgs.docker-image-base;
 
   copyToRoot = pkgs.buildEnv {
     name = "root";

packages/docker/flaresolverr/default.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 pkgs.dockerTools.buildImage {
   name = "flaresolverr";
-  fromImage = import ../base { inherit pkgs; };
+  fromImage = pkgs.docker-image-base;
 
   copyToRoot = pkgs.buildEnv {
     name = "root";

packages/docker/gitea-act-runner/default.nix

@@ -29,7 +29,7 @@ let
 in
 pkgs.dockerTools.buildImage {
   name = "gitea-act-runner";
-  fromImage = import ../base { inherit pkgs; };
+  fromImage = pkgs.docker-image-base;
 
   copyToRoot = pkgs.buildEnv {
     name = "root";

packages/docker/gitea/default.nix

@@ -9,7 +9,7 @@ let
 in
 pkgs.dockerTools.buildImage {
   name = "gitea";
-  fromImage = import ../base { inherit pkgs; };
+  fromImage = pkgs.docker-image-base;
 
   copyToRoot = pkgs.buildEnv {
     name = "root";

packages/docker/grafana-image-renderer/default.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 pkgs.dockerTools.buildImage {
   name = "grafana-image-renderer";
-  fromImage = import ../base { inherit pkgs; };
+  fromImage = pkgs.docker-image-base;
 
   copyToRoot = pkgs.buildEnv {
     name = "root";

packages/docker/grafana/default.nix

@@ -1,7 +1,7 @@
 { pkgs, ... }:
 pkgs.dockerTools.buildImage {
   name = "grafana";
-  fromImage = import ../base { inherit pkgs; };
+  fromImage = pkgs.docker-image-base;
 
   copyToRoot = pkgs.buildEnv {
     name = "root";

packages/docker/jellyfin/default.nix

@@ -21,7 +21,7 @@ let
 in
 pkgs.dockerTools.buildImage {
   name = "jellyfin";
-  fromImage = import ../base { inherit pkgs; };
+  fromImage = pkgs.docker-image-base;
 
   copyToRoot = pkgs.buildEnv {
     name = "root";