Add attic

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

README.md

@@ -20,11 +20,12 @@ NixOS dotfiles and configuration for various hosts and users.
 
 - [`packages/`](./packages/): Custom packages.
 
-- [`scripts/`](./lib/scripts): Utility scripts for managing the repository.
-  - [`add-host.sh`](./lib/scripts/add-host.sh): Instantiate the keys for a new host configuration.
-  - [`remove-host.sh`](./lib/scripts/remove-host.sh): Remove references to a host.
-  - [`update-keys.sh`](./lib/scripts/update-keys.sh): Update the encryption keys in all relevant files using `sops.yaml` configurations.
-  - [`update.sh`](./lib/scripts/update.sh): Update flake and all packages.
+- [`scripts/`](./scripts): Utility scripts for managing the repository.
+  - [`add-host.sh`](./scripts/add-host.sh): Instantiate the keys for a new host configuration.
+  - [`remove-host.sh`](./scripts/remove-host.sh): Remove references to a host.
+  - [`update-keys.sh`](./scripts/update-keys.sh): Update the encryption keys in all relevant files using `sops.yaml` configurations.
+  - [`update.sh`](./scripts/update.sh): Update flake and all packages.
+  - [`cache.sh`](./scripts/cache.sh): Build all `nixosConfiguration`s and push them to `attic`.
 
 Any `options.nix` files create custom option definitions when present.
 

flake.lock

@@ -10,11 +10,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754932414,
-        "narHash": "sha256-V8c+68Axn5AGDCaG9Zv+EqNU4D6xWPHNXLIapq6AGiM=",
+        "lastModified": 1756487002,
+        "narHash": "sha256-hN9RfNXy53qAkT68T+IYZpl68uE1uPOVMkw0MqC43KA=",
         "owner": "aylur",
         "repo": "ags",
-        "rev": "9e6912b51d7bc58f35d10b11be1a126b926b56d3",
+        "rev": "8ff792dba6cc82eed10e760f551075564dd0a407",
         "type": "github"
       },
       "original": {
@@ -30,11 +30,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754893912,
-        "narHash": "sha256-kzU/3A4k+d3PsgMLohzSh4KJybTqvzqibUVqV2yXCGY=",
+        "lastModified": 1756474652,
+        "narHash": "sha256-iiBU6itpEqE0spXeNJ3uJTfioSyKYjt5bNepykpDXTE=",
         "owner": "aylur",
         "repo": "astal",
-        "rev": "5d4eef66392b0dff99a63a4f39ff886624bd69dd",
+        "rev": "20bd8318e4136fbd3d4eb2d64dbabc3acbc915dd",
         "type": "github"
       },
       "original": {
@@ -183,11 +183,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755442500,
-        "narHash": "sha256-RHK4H6SWzkAtW/5WBHsyugaXJX25yr5y7FAZznxcBJs=",
+        "lastModified": 1756579987,
+        "narHash": "sha256-duCce8zGsaMsrqqOmLOsuaV1PVIw/vXWnKuLKZClsGg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d2ffdedfc39c591367b1ddf22b4ce107f029dcc3",
+        "rev": "99a69bdf8a3c6bf038c4121e9c4b6e99706a187a",
         "type": "github"
       },
       "original": {
@@ -289,11 +289,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1755186698,
-        "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",
+        "lastModified": 1756542300,
+        "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",
+        "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa",
         "type": "github"
       },
       "original": {
@@ -328,11 +328,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755452770,
-        "narHash": "sha256-oc8xrqvVIoDxbfTlbkE1XQ7O88TgNZn5FOZKLiuIEmg=",
+        "lastModified": 1756630008,
+        "narHash": "sha256-weZiVKbiWQzTifm6qCxzhxghEu5mbh9mWNUdkzOLCR0=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "eab62298402c7cdfdefda647a4046befa3a84051",
+        "rev": "f6a5a7b60dd6065e78ef06390767e689ffa3c23f",
         "type": "github"
       },
       "original": {
@@ -381,11 +381,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755069017,
-        "narHash": "sha256-cTD5WfZRK2mwrSktlYcrk6DOEEkQbE1z78O16TF293c=",
+        "lastModified": 1756052001,
+        "narHash": "sha256-dlLqyHxqiFAoIwshKe9X3PzXcJ+up88Qb2JVQswFaNE=",
         "owner": "icewind1991",
         "repo": "nvidia-patch-nixos",
-        "rev": "d187885c14bdd8520d40f527134d536168f8d92b",
+        "rev": "780af7357d942fad2ddd9f325615a5f6ea7e37ee",
         "type": "github"
       },
       "original": {
@@ -495,11 +495,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755506147,
-        "narHash": "sha256-B4e60+9j1cMEhAjpvgcNSSJbzPe2CUpAo2av15xd/0M=",
+        "lastModified": 1755532656,
+        "narHash": "sha256-xYb5dJej3emyr4oWWAhkMP8rPc3kdVOXGZcIbAx1Y/I=",
         "ref": "refs/heads/main",
-        "rev": "ebe2f986fc82df849d879f5b0af403c78ead2002",
-        "revCount": 10,
+        "rev": "b01f3f8456903cb1bde9637cc23b456b47354138",
+        "revCount": 11,
         "type": "git",
         "url": "ssh://git@karaolidis.com/karaolidis/nix-sas.git"
       },
@@ -511,11 +511,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1755454846,
-        "narHash": "sha256-tbI+AcQGvtucMKKr+VHM53ZI6upPBjD9kR5PCyF4K60=",
+        "lastModified": 1756900832,
+        "narHash": "sha256-sMne4dvYzcdbDVcMPY6NLVHiZbgjtDrxttKG0Vig8WQ=",
         "ref": "refs/heads/main",
-        "rev": "c1a835c4f9ba9915671c79b3241f4d4863f11323",
-        "revCount": 33,
+        "rev": "adac63f6daffb4e14ce0fb94e93eb987e2460064",
+        "revCount": 38,
         "type": "git",
         "url": "ssh://git@karaolidis.com/karaolidis/nix-secrets.git"
       },
@@ -554,11 +554,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755405549,
-        "narHash": "sha256-0vJD6WhL1jfXbnpH6r8yr1RgzB8mGFWIWokKHaJMJ/4=",
+        "lastModified": 1756614537,
+        "narHash": "sha256-qyszmZO9CEKAlj5NBQo1AIIADm5Fgqs5ZggW1sU1TVo=",
         "owner": "Gerg-L",
         "repo": "spicetify-nix",
-        "rev": "df1f5d4c0633040937358755defff9f07e9c0a73",
+        "rev": "374eb5d97092b97f7aaafd58a2012943b388c0df",
         "type": "github"
       },
       "original": {
@@ -589,11 +589,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1754847726,
-        "narHash": "sha256-2vX8QjO5lRsDbNYvN9hVHXLU6oMl+V/PsmIiJREG4rE=",
+        "lastModified": 1755934250,
+        "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "7d81f6fb2e19bf84f1c65135d1060d829fae2408",
+        "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5",
         "type": "github"
       },
       "original": {

hosts/common/configs/system/nix-install/install.completion.zsh

@@ -18,8 +18,8 @@ _nix-install_completion() {
 
   _list_keys() {
     local flake="$(realpath ${words[2]})"
-    if [[ -d "$flake/secrets" ]]; then
-      find "$flake/secrets" -type f -name 'key.txt' | sed -E 's|^.*/secrets/([^/]+)/key.txt$|\1|' | sort -u
+    if [[ -d "$flake/submodules/secrets/domains" ]]; then
+      find "$flake/submodules/secrets/domains" -type f -name 'key.txt' | sed -E 's|^.*/submodules/secrets/domains/([^/]+)/key.txt$|\1|' | sort -u
     fi
   }
 

hosts/common/configs/system/nix/default.nix

@@ -1,29 +1,54 @@
-{ config, inputs, ... }:
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
 {
   sops = {
     secrets = {
-      "git/credentials/github.com/public/username".sopsFile =
-        "${inputs.secrets}/domains/personal/secrets.yaml";
-      "git/credentials/github.com/public/password".sopsFile =
+      "git/credentials/github.com/tokens/public".sopsFile =
         "${inputs.secrets}/domains/personal/secrets.yaml";
+
+      "nix/cache/nix.karaolidis.com".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
     };
 
-    templates.nix-access-tokens = {
-      content = ''
-        access-tokens = github.com=${config.sops.placeholder."git/credentials/github.com/public/password"}
-      '';
-      group = "users";
+    templates = {
+      nix-access-tokens = {
+        content = ''
+          access-tokens = github.com=${config.sops.placeholder."git/credentials/github.com/tokens/public"}
+        '';
+        group = "users";
+        mode = "0440";
+      };
+
+      nix-netrc = {
+        content = ''
+          machine nix.karaolidis.com
+          password ${config.sops.placeholder."nix/cache/nix.karaolidis.com"}
+        '';
+        group = "users";
+        mode = "0440";
+      };
     };
   };
 
   nix = {
     settings = {
+      trusted-users = [
+        "root"
+        "@wheel"
+      ];
       use-xdg-base-directories = true;
       experimental-features = [
         "nix-command"
         "flakes"
       ];
       download-buffer-size = 524288000;
+      substituters = lib.mkBefore [ "https://nix.karaolidis.com/main" ];
+      trusted-substituters = lib.mkBefore [ "https://nix.karaolidis.com/main" ];
+      trusted-public-keys = lib.mkBefore [ "main:nJVRBnv73MDkwuV5sgm52m4E2ImOhWHvY12qzjPegAk=" ];
+      netrc-file = config.sops.templates.nix-netrc.path;
     };
 
     channel.enable = false;

hosts/common/configs/system/ssh/default.nix

@@ -12,7 +12,7 @@
 
     jupiter-sish = {
       publicKeyFile = "${inputs.secrets}/hosts/jupiter/ssh_sish_ed25519_key.pub";
-      extraHostNames = [ "karaolidis.com" ];
+      extraHostNames = [ "tunnel.karaolidis.com" ];
     };
 
     jupiter-vps = {

hosts/common/configs/user/console/attic/default.nix

@@ -0,0 +1,33 @@
+{ user, home }:
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
+let
+  hmConfig = config.home-manager.users.${user};
+in
+{
+  home-manager.users.${user} = {
+    sops = {
+      secrets."nix/cache/nix.karaolidis.com".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+      templates."attic" = {
+        content = builtins.readFile (
+          (pkgs.formats.toml { }).generate "config.toml" {
+            default-server = "main";
+
+            servers."main" = {
+              endpoint = "https://nix.karaolidis.com/";
+              token = hmConfig.sops.placeholder."nix/cache/nix.karaolidis.com";
+            };
+          }
+        );
+        path = "${home}/.config/attic/config.toml";
+      };
+    };
+
+    home.packages = with pkgs; [ attic-client ];
+  };
+}

hosts/common/configs/user/console/git/default.nix

@@ -41,5 +41,41 @@ in
         );
       };
     };
+
+    home = {
+      packages = with pkgs; [
+        (pkgs.writeShellApplication {
+          name = "gh";
+          runtimeInputs = with pkgs; [ gh ];
+          text = builtins.readFile ./gh.sh;
+        })
+        (pkgs.writeShellApplication {
+          name = "glab";
+          runtimeInputs = with pkgs; [ glab ];
+          text = builtins.readFile ./glab.sh;
+        })
+        (pkgs.writeShellApplication {
+          name = "tea";
+          runtimeInputs = with pkgs; [ tea ];
+          text = builtins.readFile ./tea.sh;
+        })
+      ];
+
+      sessionVariables = {
+        GITEA_HOST = "git.karaolidis.com";
+        GITEA_SSH_HOST = "karaolidis.com";
+      };
+    };
+
+    xdg.configFile = {
+      "gh/config.yml".source = (pkgs.formats.yaml { }).generate "config.yml" {
+        version = 1;
+        git_protocol = "ssh";
+      };
+
+      "glab-cli/config.yml".source = (pkgs.formats.yaml { }).generate "config.yml" {
+        git_protocol = "ssh";
+      };
+    };
   };
 }

hosts/common/configs/user/console/git/gh.sh

@@ -0,0 +1,8 @@
+# shellcheck shell=bash
+
+GH_HOST="${GH_HOST:-github.com}"
+
+GH_TOKEN=$(sed -n "s#https://[^:]*:\([^@]*\)@${GH_HOST}#\1#p" "$HOME/.config/git/credentials")
+export GH_TOKEN
+
+exec gh "$@"

hosts/common/configs/user/console/git/glab.sh

@@ -0,0 +1,8 @@
+# shellcheck shell=bash
+
+GITLAB_HOST="${GITLAB_HOST:-gitlab.com}"
+
+GITLAB_TOKEN=$(sed -n "s#https://[^:]*:\([^@]*\)@${GITLAB_HOST}#\1#p" "$HOME/.config/git/credentials")
+export GITLAB_TOKEN
+
+exec glab "$@"

hosts/common/configs/user/console/git/tea.sh

@@ -0,0 +1,13 @@
+# shellcheck shell=bash
+
+GITEA_HOST="${GITEA_HOST:-gitea.com}"
+GITEA_SSH_HOST="${GITEA_SSH_HOST:-gitea.com}"
+
+GITEA_TOKEN=$(sed -n "s#https://[^:]*:\([^@]*\)@${GITEA_HOST}#\1#p" "$HOME/.config/git/credentials")
+GITEA_INSTANCE_URL="https://${GITEA_HOST}"
+GITEA_INSTANCE_SSH_HOST="$GITEA_SSH_HOST"
+export GITEA_TOKEN
+export GITEA_INSTANCE_URL
+export GITEA_INSTANCE_SSH_HOST
+
+exec tea "$@"

hosts/common/configs/user/console/gpg-agent/default.nix

@@ -20,6 +20,10 @@
       enable = true;
       defaultCacheTtl = 31536000;
       maxCacheTtl = 31536000;
+      pinentry = {
+        package = pkgs.pinentry-all;
+        program = "pinentry-tty";
+      };
     };
 
     systemd.user = {

hosts/common/configs/user/console/home-manager/default.nix

@@ -1,5 +1,10 @@
 { user, home }:
-{ config, inputs, ... }:
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
 {
   imports = [ inputs.home-manager.nixosModules.default ];
 
@@ -15,10 +20,18 @@
       home.stateVersion = "24.11";
       systemd.user.startServices = true;
 
-      nix.settings.experimental-features = [
-        "nix-command"
-        "flakes"
-      ];
+      nix.settings = {
+        use-xdg-base-directories = true;
+        experimental-features = [
+          "nix-command"
+          "flakes"
+        ];
+        download-buffer-size = 524288000;
+        substituters = lib.mkBefore [ "https://nix.karaolidis.com/main" ];
+        trusted-substituters = lib.mkBefore [ "https://nix.karaolidis.com/main" ];
+        trusted-public-keys = lib.mkBefore [ "main:nJVRBnv73MDkwuV5sgm52m4E2ImOhWHvY12qzjPegAk=" ];
+        netrc-file = config.sops.templates.nix-netrc.path;
+      };
     };
   };
 }

hosts/common/configs/user/console/neovim/default.nix

@@ -1,6 +1,16 @@
 { user, home }:
-{ inputs, ... }:
 {
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  environment.persistence = {
+    "/persist/state"."${home}/.local/share/nvf" = { };
+    "/persist/cache"."${home}/.cache/nvf" = { };
+  };
+
   home-manager.users.${user} = {
     imports = [ inputs.nvf.homeManagerModules.default ];
 
@@ -16,13 +26,12 @@
             viAlias = true;
             vimAlias = true;
 
-            # autocomplete = {
-            #   blink-cmp.enable = true;
-            #   enableSharedCmpSources = true;
-            # };
+            autocomplete = {
+              blink-cmp.enable = true;
+            };
 
             binds = {
-              hardtime-nvim.enable = true;
+              # hardtime-nvim.enable = true;
               whichKey.enable = true;
             };
 
@@ -46,10 +55,11 @@
                 setupOpts = {
                   git_status_async = true;
 
-                  filesystem = {
-                    position = "current";
-                    hijack_netrw_behavior = "open_current";
-                  };
+                  window.mappings = lib.generators.mkLuaInline ''
+                    {
+                      ["<space>"] = "noop",
+                    }
+                  '';
                 };
               };
             };
@@ -84,6 +94,15 @@
               nix = {
                 enable = true;
                 format.type = "nixfmt";
+                lsp.options.nil = {
+                  nix = {
+                    maxMemoryMB = null;
+                    flake = {
+                      autoArchive = true;
+                      autoEvalInputs = true;
+                    };
+                  };
+                };
               };
               php.enable = true;
               python.enable = true;
@@ -127,12 +146,29 @@
             #   luasnip.enable = true;
             # };
 
-            # tabline = {
-            #   nvimBufferline.enable = true;
-            # };
+            tabline = {
+              nvimBufferline = {
+                enable = true;
+                mappings.closeCurrent = "<leader>bd";
+                setupOpts.options = {
+                  indicator.style = "icon";
+                  show_close_icon = false;
+                  show_buffer_close_icons = false;
+                };
+              };
+            };
 
             telescope = {
               enable = true;
+              setupOpts.defaults.file_ignore_patterns = [
+                "node_modules"
+                "%.venv/"
+                "%.git/"
+                "dist/"
+                "build/"
+                "target/"
+                "result/"
+              ];
             };
 
             terminal = {
@@ -171,10 +207,9 @@
               motion = {
                 precognition.enable = true;
               };
-              # multicursors.enable = true;
               # nvim-biscuits.enable = true;
               # smart-splits.enable = true;
-              # surround.enable = true;
+              surround.enable = true;
               # undotree.enable = true;
               # yazi-nvim.enable = true;
             };
@@ -188,11 +223,77 @@
               # nvim-scrollbar.enable = true;
               nvim-web-devicons.enable = true;
             };
+
+            keymaps = [
+              {
+                mode = [ "n" ];
+                key = "<C-b>";
+                action = "<C-b>zz";
+                silent = true;
+                noremap = true;
+                desc = "Page up and center";
+              }
+              {
+                mode = [ "n" ];
+                key = "<C-u>";
+                action = "<C-u>zz";
+                silent = true;
+                noremap = true;
+                desc = "Half-page up and center";
+              }
+              {
+                mode = [ "n" ];
+                key = "<C-d>";
+                action = "<C-d>zz";
+                silent = true;
+                noremap = true;
+                desc = "Half-page down and center";
+              }
+              {
+                mode = [ "n" ];
+                key = "<C-f>";
+                action = "<C-f>zz";
+                silent = true;
+                noremap = true;
+                desc = "Page down and center";
+              }
+              {
+                mode = [ "n" ];
+                key = "<leader>ww";
+                action = "<cmd>w<CR>";
+                silent = true;
+                desc = "Save";
+              }
+              {
+                mode = [ "n" ];
+                key = "<leader>wq";
+                action = "<cmd>wq<CR>";
+                silent = true;
+                desc = "Save & Quit";
+              }
+              {
+                mode = [ "n" ];
+                key = "<leader>ee";
+                action = "<cmd>Neotree toggle<CR>";
+                silent = true;
+                desc = "Toggle Neo-tree";
+              }
+              {
+                mode = [ "n" ];
+                key = "<leader>ef";
+                action = "<cmd>Neotree reveal<CR>";
+                silent = true;
+                desc = "Reveal file in Neo-tree";
+              }
+            ];
           };
         };
       };
 
-      zsh.p10k.extraRightPromptElements = [ "vim_shell" ];
+      zsh = {
+        p10k.extraRightPromptElements = [ "vim_shell" ];
+        shellAliases.v = "nvim";
+      };
     };
   };
 }

hosts/common/configs/user/console/ssh-agent/default.nix

@@ -3,6 +3,6 @@
 {
   home-manager.users.${user} = {
     services.ssh-agent.enable = true;
-    programs.ssh.addKeysToAgent = "yes";
+    programs.ssh.matchBlocks."*".addKeysToAgent = "yes";
   };
 }

hosts/common/configs/user/console/ssh/default.nix

@@ -1,5 +1,9 @@
 { user, home }:
 { ... }:
 {
-  home-manager.users.${user}.programs.ssh.enable = true;
+  home-manager.users.${user}.programs.ssh = {
+    enable = true;
+    enableDefaultConfig = false;
+    matchBlocks."*".identitiesOnly = true;
+  };
 }

hosts/common/configs/user/console/syncthing/default.nix

@@ -14,11 +14,13 @@
     "syncthing/key" = {
       owner = user;
       group = "users";
+      mode = "0440";
     };
     # openssl req -new -x509 -key key.pem -out cert.pem -days 9999 -subj "/CN=syncthing"
     "syncthing/cert" = {
       owner = user;
       group = "users";
+      mode = "0440";
     };
   };
 

hosts/common/configs/user/gui/hyprland/default.nix

@@ -154,7 +154,7 @@
 
     programs.zsh = {
       loginExtra = lib.mkAfter ''
-        if uwsm check may-start; then
+        if uwsm check may-start > /dev/null; then
           exec uwsm start hyprland-uwsm.desktop
         fi
       '';

hosts/common/configs/user/gui/hyprsunset/default.nix

@@ -0,0 +1,5 @@
+{ user, home }:
+{ ... }:
+{
+  home-manager.users.${user}.services.hyprsunset.enable = true;
+}

hosts/elara/configs/ssh/default.nix

@@ -33,16 +33,14 @@
         HostName github.com
         IdentityFile /root/.ssh/ssh_sas_ed25519_key
         IdentitiesOnly yes
+        UserKnownHostsFile ${pkgs.sshKnownHosts.github}
 
       Host gitlab.sas.com
         User git
         HostName gitlab.sas.com
         IdentityFile /root/.ssh/ssh_sas_ed25519_key
         IdentitiesOnly yes
+        ${lib.strings.optionalString config.sas.build.private "UserKnownHostsFile ${pkgs.sshKnownHosts.sas-gitlab}"}
     '';
-
-    knownHostsFiles =
-      with pkgs.sshKnownHosts;
-      ([ github ] ++ lib.lists.optionals config.sas.build.private [ sas-gitlab ]);
   };
 }

hosts/elara/default.nix

@@ -27,6 +27,7 @@
     ../common/configs/system/podman
     ../common/configs/system/sops
     ../common/configs/system/ssh
+    ../common/configs/system/sshd
     ../common/configs/system/sudo
     ../common/configs/system/system
     ../common/configs/system/users
@@ -42,7 +43,7 @@
 
   networking.hostName = "elara";
 
-  sas.build.private = true;
+  sas.build.private = false;
 
   environment.impermanence.enable = lib.mkForce false;
 }

hosts/elara/users/nikara/configs/console/gpg/default.nix

@@ -36,8 +36,5 @@ in
       "Personal GPG Passphrase".source = hmConfig.sops.secrets."gpg/personal/pass".path;
       "SAS GPG Passphrase".source = hmConfig.sops.secrets."gpg/sas/pass".path;
     };
-
-    home.packages = [ pkgs.gcr ];
-    services.gpg-agent.pinentry.package = pkgs.pinentry-gnome3;
   };
 }

hosts/elara/users/nikara/configs/console/ssh/default.nix

@@ -46,118 +46,158 @@ in
           key = "ssh/rsa/pass";
         };
 
-        "git/credentials/personal/git.karaolidis.com/admin/username" = {
+        "git/credentials/personal/git.karaolidis.com/username" = {
           sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
-          key = "git/credentials/git.karaolidis.com/admin/username";
+          key = "git/credentials/git.karaolidis.com/username";
         };
 
-        "git/credentials/personal/git.karaolidis.com/admin/password" = {
+        "git/credentials/personal/git.karaolidis.com/tokens/admin" = {
           sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
-          key = "git/credentials/git.karaolidis.com/admin/password";
+          key = "git/credentials/git.karaolidis.com/tokens/admin";
         };
 
-        "git/credentials/sas/github.com/admin/username" = {
+        "git/credentials/sas/github.com/username" = {
           sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
-          key = "git/credentials/github.com/admin/username";
+          key = "git/credentials/github.com/username";
         };
 
-        "git/credentials/sas/github.com/admin/password" = {
+        "git/credentials/sas/github.com/tokens/admin" = {
           sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
-          key = "git/credentials/github.com/admin/password";
+          key = "git/credentials/github.com/tokens/admin";
+        };
+
+        "git/credentials/personal/github.com/username" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/github.com/username";
+        };
+
+        "git/credentials/personal/github.com/tokens/admin" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/github.com/tokens/admin";
+        };
+
+        "git/credentials/personal/gitlab.com/username" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/gitlab.com/username";
+        };
+
+        "git/credentials/personal/gitlab.com/tokens/admin" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/gitlab.com/tokens/admin";
+        };
+
+        "git/credentials/personal/gitea.com/username" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/gitea.com/username";
+        };
+
+        "git/credentials/personal/gitea.com/tokens/admin" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/gitea.com/tokens/admin";
         };
       };
 
       templates."git/credentials" = {
         content = ''
-          https://${hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/admin/username"}:${
-            hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/admin/password"
+          https://${hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/tokens/admin"
           }@git.karaolidis.com
-          https://${hmConfig.sops.placeholder."git/credentials/sas/github.com/admin/username"}:${
-            hmConfig.sops.placeholder."git/credentials/sas/github.com/admin/password"
+          https://${hmConfig.sops.placeholder."git/credentials/sas/github.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/sas/github.com/tokens/admin"
           }@github.com
+          https://${hmConfig.sops.placeholder."git/credentials/personal/gitlab.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/personal/gitlab.com/tokens/admin"
+          }@gitlab.com
+          https://${hmConfig.sops.placeholder."git/credentials/personal/gitea.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/personal/gitea.com/tokens/admin"
+          }@gitea.com
         '';
         path = "${home}/.config/git/credentials";
       };
     };
 
     programs = {
-      ssh = {
-        matchBlocks = {
-          "karaolidis.com" = {
-            hostname = "karaolidis.com";
-            user = "nick";
-            identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "github.com" = {
-            hostname = "github.com";
-            user = "git";
-            identityFile = [ "${home}/.ssh/ssh_personal_ed25519_key" ];
-            identitiesOnly = true;
-          };
-
-          "gitlab.com" = {
-            hostname = "gitlab.com";
-            user = "git";
-            identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "github.sas.com" = {
-            hostname = "github.com";
-            user = "git";
-            identityFile = [ "${home}/.ssh/ssh_sas_ed25519_key" ];
-            identitiesOnly = true;
-          };
-
-          "cldlgn.fyi.sas.com" = {
-            inherit user;
-            hostname = "cldlgn.fyi.sas.com";
-            identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "gitlab.sas.com" = {
-            hostname = "gitlab.sas.com";
-            user = "git";
-            identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "gerrit-svi.unx.sas.com" = {
-            hostname = "gerrit-svi.unx.sas.com";
-            user = "nikara";
-            port = 29418;
-            identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "artifactlfs.unx.sas.com" = {
-            hostname = "artifactlfs.unx.sas.com";
-            user = "nikara";
-            port = 1339;
-            identityFile = "${home}/.ssh/ssh_sas_rsa_key";
-            identitiesOnly = true;
-          };
+      ssh.matchBlocks = {
+        "karaolidis.com" = {
+          hostname = "karaolidis.com";
+          user = "nick";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
         };
 
-        userKnownHostsFile = builtins.concatStringsSep " " (
-          with pkgs.sshKnownHosts;
-          (
-            [
-              "${home}/.ssh/known_hosts"
-              github
-              gitlab
-            ]
-            ++ lib.lists.optionals config.sas.build.private [
-              sas-cldlgn
-              sas-gitlab
-              sas-gerrit
-              sas-artifact
-            ]
-          )
-        );
+        "tunnel.karaolidis.com" = {
+          hostname = "tunnel.karaolidis.com";
+          user = "nick";
+          port = 2222;
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+        };
+
+        "github.com" = {
+          hostname = "github.com";
+          user = "git";
+          identityFile = [ "${home}/.ssh/ssh_personal_ed25519_key" ];
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.github;
+        };
+
+        "gitlab.com" = {
+          hostname = "gitlab.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitlab;
+        };
+
+        "gitea.com" = {
+          hostname = "gitea.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitea;
+        };
+
+        "github.sas.com" = {
+          hostname = "github.com";
+          user = "git";
+          identityFile = [ "${home}/.ssh/ssh_sas_ed25519_key" ];
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.github
+          );
+        };
+
+        "cldlgn.fyi.sas.com" = {
+          inherit user;
+          hostname = "cldlgn.fyi.sas.com";
+          identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.sas-cldlgn
+          );
+        };
+
+        "gitlab.sas.com" = {
+          hostname = "gitlab.sas.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.sas-gitlab
+          );
+        };
+
+        "gerrit-svi.unx.sas.com" = {
+          hostname = "gerrit-svi.unx.sas.com";
+          user = "nikara";
+          port = 29418;
+          identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.sas-gerrit
+          );
+        };
+
+        "artifactlfs.unx.sas.com" = {
+          hostname = "artifactlfs.unx.sas.com";
+          user = "nikara";
+          port = 1339;
+          identityFile = "${home}/.ssh/ssh_sas_rsa_key";
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.sas-artifact
+          );
+        };
       };
 
       git.extraConfig.url = {

hosts/elara/users/nikara/default.nix

@@ -14,6 +14,7 @@ in
   imports = [
     (import ../../../common/configs/user { inherit user home; })
 
+    (import ../../../common/configs/user/console/attic { inherit user home; })
     (import ../../../common/configs/user/console/btop { inherit user home; })
     (import ../../../common/configs/user/console/dive { inherit user home; })
     (import ../../../common/configs/user/console/fastfetch { inherit user home; })
@@ -84,6 +85,10 @@ in
     ];
     linger = true;
     uid = lib.strings.toInt (builtins.readFile ./uid);
+    openssh.authorizedKeys.keyFiles = [
+      "${inputs.secrets}/domains/personal/id_ed25519.pub"
+      "${inputs.secrets}/domains/sas/id_ed25519.pub"
+    ];
   };
 
   wsl.defaultUser = user;

hosts/himalia/default.nix

@@ -40,6 +40,7 @@
     ../common/configs/system/smartmontools
     ../common/configs/system/sops
     ../common/configs/system/ssh
+    ../common/configs/system/sshd
     ../common/configs/system/sudo
     ../common/configs/system/system
     ../common/configs/system/timezone

hosts/himalia/users/nick/configs/console/ssh/default.nix

@@ -19,56 +19,82 @@ in
 
         "ssh/pass".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
 
-        "git/credentials/git.karaolidis.com/admin/username".sopsFile =
+        "git/credentials/git.karaolidis.com/username".sopsFile =
           "${inputs.secrets}/domains/personal/secrets.yaml";
 
-        "git/credentials/git.karaolidis.com/admin/password".sopsFile =
+        "git/credentials/git.karaolidis.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/github.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/github.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitlab.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitlab.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitea.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitea.com/tokens/admin".sopsFile =
           "${inputs.secrets}/domains/personal/secrets.yaml";
       };
 
       templates."git/credentials" = {
         content = ''
-          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/username"}:${
-            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/password"
+          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/tokens/admin"
           }@git.karaolidis.com
+          https://${hmConfig.sops.placeholder."git/credentials/github.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/github.com/tokens/admin"
+          }@github.com
+          https://${hmConfig.sops.placeholder."git/credentials/gitlab.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/gitlab.com/tokens/admin"
+          }@gitlab.com
+          https://${hmConfig.sops.placeholder."git/credentials/gitea.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/gitea.com/tokens/admin"
+          }@gitea.com
         '';
         path = "${home}/.config/git/credentials";
       };
     };
 
     programs = {
-      ssh = {
-        matchBlocks = {
-          "karaolidis.com" = {
-            hostname = "karaolidis.com";
-            user = "nick";
-            identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "github.com" = {
-            hostname = "github.com";
-            user = "git";
-            identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-            identitiesOnly = true;
-          };
-
-          "gitlab.com" = {
-            hostname = "gitlab.com";
-            user = "git";
-            identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-            identitiesOnly = true;
-          };
+      ssh.matchBlocks = {
+        "karaolidis.com" = {
+          hostname = "karaolidis.com";
+          user = "nick";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
         };
 
-        userKnownHostsFile = builtins.concatStringsSep " " (
-          with pkgs.sshKnownHosts;
-          [
-            "${home}/.ssh/known_hosts"
-            github
-            gitlab
-          ]
-        );
+        "tunnel.karaolidis.com" = {
+          hostname = "tunnel.karaolidis.com";
+          user = "nick";
+          port = 2222;
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+        };
+
+        "github.com" = {
+          hostname = "github.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.github;
+        };
+
+        "gitlab.com" = {
+          hostname = "gitlab.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitlab;
+        };
+
+        "gitea.com" = {
+          hostname = "gitea.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitea;
+        };
       };
 
       clipbook.bookmarks."SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/pass".path;

hosts/himalia/users/nick/default.nix

@@ -15,6 +15,7 @@ in
     (import ../../../common/configs/user { inherit user home; })
 
     (import ../../../common/configs/user/console/android { inherit user home; })
+    (import ../../../common/configs/user/console/attic { inherit user home; })
     (import ../../../common/configs/user/console/brightnessctl { inherit user home; })
     (import ../../../common/configs/user/console/btop { inherit user home; })
     (import ../../../common/configs/user/console/dive { inherit user home; })
@@ -73,6 +74,7 @@ in
     (import ../../../common/configs/user/gui/hyprland { inherit user home; })
     (import ../../../common/configs/user/gui/hyprpicker { inherit user home; })
     (import ../../../common/configs/user/gui/hyprshot { inherit user home; })
+    (import ../../../common/configs/user/gui/hyprsunset { inherit user home; })
     (import ../../../common/configs/user/gui/kitty { inherit user home; })
     (import ../../../common/configs/user/gui/libreoffice { inherit user home; })
     (import ../../../common/configs/user/gui/mpv { inherit user home; })
@@ -122,6 +124,7 @@ in
     ];
     linger = true;
     uid = lib.strings.toInt (builtins.readFile ./uid);
+    openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/domains/personal/id_ed25519.pub" ];
   };
 
   services.getty.autologinUser = user;

hosts/installer/default.nix

@@ -33,6 +33,7 @@
     ../common/configs/system/power
     ../common/configs/system/sops
     ../common/configs/system/ssh
+    ../common/configs/system/sshd
     ../common/configs/system/sudo
     ../common/configs/system/system
     ../common/configs/system/timezone

hosts/installer/users/nick/configs/console/ssh/default.nix

@@ -19,55 +19,81 @@ in
 
         "ssh/pass".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
 
-        "git/credentials/git.karaolidis.com/admin/username".sopsFile =
+        "git/credentials/git.karaolidis.com/username".sopsFile =
           "${inputs.secrets}/domains/personal/secrets.yaml";
 
-        "git/credentials/git.karaolidis.com/admin/password".sopsFile =
+        "git/credentials/git.karaolidis.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/github.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/github.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitlab.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitlab.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitea.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitea.com/tokens/admin".sopsFile =
           "${inputs.secrets}/domains/personal/secrets.yaml";
       };
 
       templates."git/credentials" = {
         content = ''
-          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/username"}:${
-            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/password"
+          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/tokens/admin"
           }@git.karaolidis.com
+          https://${hmConfig.sops.placeholder."git/credentials/github.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/github.com/tokens/admin"
+          }@github.com
+          https://${hmConfig.sops.placeholder."git/credentials/gitlab.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/gitlab.com/tokens/admin"
+          }@gitlab.com
+          https://${hmConfig.sops.placeholder."git/credentials/gitea.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/gitea.com/tokens/admin"
+          }@gitea.com
         '';
         path = "${home}/.config/git/credentials";
       };
     };
 
-    programs.ssh = {
-      matchBlocks = {
-        "karaolidis.com" = {
-          hostname = "karaolidis.com";
-          user = "nick";
-          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-          identitiesOnly = true;
-        };
-
-        "github.com" = {
-          hostname = "github.com";
-          user = "git";
-          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-          identitiesOnly = true;
-        };
-
-        "gitlab.com" = {
-          hostname = "gitlab.com";
-          user = "git";
-          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-          identitiesOnly = true;
-        };
+    programs.ssh.matchBlocks = {
+      "karaolidis.com" = {
+        hostname = "karaolidis.com";
+        user = "nick";
+        identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
       };
 
-      userKnownHostsFile = builtins.concatStringsSep " " (
-        with pkgs.sshKnownHosts;
-        [
-          "${home}/.ssh/known_hosts"
-          github
-          gitlab
-        ]
-      );
+      "tunnel.karaolidis.com" = {
+        hostname = "tunnel.karaolidis.com";
+        user = "nick";
+        port = 2222;
+        identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+      };
+
+      "github.com" = {
+        hostname = "github.com";
+        user = "git";
+        identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+        userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.github;
+      };
+
+      "gitlab.com" = {
+        hostname = "gitlab.com";
+        user = "git";
+        identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+        userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitlab;
+      };
+
+      "gitea.com" = {
+        hostname = "gitea.com";
+        user = "git";
+        identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+        userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitea;
+      };
     };
   };
 }

hosts/installer/users/nick/default.nix

@@ -14,6 +14,7 @@ in
   imports = [
     (import ../../../common/configs/user { inherit user home; })
 
+    (import ../../../common/configs/user/console/attic { inherit user home; })
     (import ../../../common/configs/user/console/brightnessctl { inherit user home; })
     (import ../../../common/configs/user/console/btop { inherit user home; })
     (import ../../../common/configs/user/console/fastfetch { inherit user home; })
@@ -63,6 +64,7 @@ in
     ];
     linger = true;
     uid = lib.strings.toInt (builtins.readFile ./uid);
+    openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/domains/personal/id_ed25519.pub" ];
   };
 
   services.getty.autologinUser = user;

hosts/jupiter/hardware/default.nix

@@ -93,6 +93,6 @@
     xserver.videoDrivers = [ "nvidia" ];
     fstrim.enable = true;
     tlp.settings.DISK_DEVICES = lib.mkDefault "nvme0n1 nvme1n1";
-    logind.lidSwitch = "ignore";
+    logind.settings.Login.HandleLidSwitch = "ignore";
   };
 }

hosts/jupiter/users/nick/default.nix

@@ -14,6 +14,7 @@ in
   imports = [
     (import ../../../common/configs/user { inherit user home; })
 
+    (import ../../../common/configs/user/console/attic { inherit user home; })
     (import ../../../common/configs/user/console/brightnessctl { inherit user home; })
     (import ../../../common/configs/user/console/btop { inherit user home; })
     (import ../../../common/configs/user/console/fastfetch { inherit user home; })

hosts/jupiter/users/storm/configs/console/podman/attic/default.nix

@@ -0,0 +1,127 @@
+{ user, home }:
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
+let
+  hmConfig = config.home-manager.users.${user};
+  inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
+in
+{
+  home-manager.users.${user} = {
+    sops = {
+      secrets = {
+        "attic/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "attic/rs256".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "attic/admin".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+      };
+
+      templates = {
+        attic-postgresql-env.content = ''
+          POSTGRES_PASSWORD=${hmConfig.sops.placeholder."attic/postgresql"}
+        '';
+
+        attic-env.content = ''
+          ATTIC_TOKEN=${hmConfig.sops.placeholder."attic/admin"}
+        '';
+
+        attic.content = builtins.readFile (
+          (pkgs.formats.toml { }).generate "server.toml" {
+            listen = "[::]:8080";
+
+            allowed-hosts = [ "nix.karaolidis.com" ];
+            api-endpoint = "https://nix.karaolidis.com/";
+
+            database.url = "postgres://attic:${
+              hmConfig.sops.placeholder."attic/postgresql"
+            }@attic-postgresql:5432/attic";
+
+            storage = {
+              type = "local";
+              path = "/var/lib/attic";
+            };
+
+            chunking = {
+              nar-size-threshold = 65536;
+              min-size = 16384;
+              avg-size = 65536;
+              max-size = 262144;
+            };
+
+            compression = {
+              type = "zstd";
+              level = 8;
+            };
+
+            garbage-collection = {
+              interval = "12 hours";
+              default-retention-period = "1 month";
+            };
+
+            jwt.signing.token-rs256-secret-base64 = hmConfig.sops.placeholder."attic/rs256";
+          }
+        );
+      };
+    };
+
+    systemd.user.tmpfiles.rules = [
+      "d /mnt/storage/private/storm/containers/storage/volumes/attic/_data 700 storm storm"
+    ];
+
+    virtualisation.quadlet = {
+      networks.attic = { };
+
+      volumes.attic-postgresql = { };
+
+      containers = {
+        attic = {
+          containerConfig = {
+            image = "docker-archive:${pkgs.dockerImages.attic}";
+            networks = [
+              networks.attic.ref
+              networks.traefik.ref
+            ];
+            volumes = [
+              "/mnt/storage/private/storm/containers/storage/volumes/attic/_data:/var/lib/attic"
+              "${hmConfig.sops.templates.attic.path}:/etc/attic/server.toml"
+            ];
+            environmentFiles = [ hmConfig.sops.templates.attic-env.path ];
+            exec = [
+              "--config"
+              "/etc/attic/server.toml"
+            ];
+            labels = [
+              "traefik.enable=true"
+              "traefik.http.routers.attic.rule=Host(`nix.karaolidis.com`)"
+            ];
+          };
+
+          unitConfig = {
+            After = [
+              "${containers.attic-postgresql._serviceName}.service"
+              "sops-nix.service"
+            ];
+            Requires = [ "${containers.attic-postgresql._serviceName}.service" ];
+          };
+        };
+
+        attic-postgresql = {
+          containerConfig = {
+            image = "docker-archive:${pkgs.dockerImages.postgresql}";
+            networks = [ networks.attic.ref ];
+            volumes = [ "${volumes.attic-postgresql.ref}:/var/lib/postgresql/data" ];
+            environments = {
+              POSTGRES_DB = "attic";
+              POSTGRES_USER = "attic";
+            };
+            environmentFiles = [ hmConfig.sops.templates.attic-postgresql-env.path ];
+          };
+
+          unitConfig.After = [ "sops-nix.service" ];
+        };
+      };
+    };
+  };
+}

hosts/jupiter/users/storm/configs/console/podman/attic/post-start.sh

@@ -0,0 +1,22 @@
+# shellcheck shell=sh
+
+attic login main https://nix.karaolidis.com/ "$ATTIC_TOKEN"
+
+CACHE_NAME="main"
+
+while true; do
+  out=$(attic cache info "$CACHE_NAME" 2>&1)
+  status=$?
+
+  if [ $status -eq 0 ]; then
+    break
+  elif echo "$out" | grep -q "NoSuchCache"; then
+    attic cache create "$CACHE_NAME"
+  elif echo "$out" | grep -q "404"; then
+    sleep 0.1
+  else
+    echo "Unexpected error:"
+    echo "$out"
+    break
+  fi
+done

hosts/jupiter/users/storm/configs/console/podman/default.nix

@@ -10,6 +10,7 @@ let
 in
 {
   imports = [
+    (import ./attic { inherit user home; })
     (import ./authelia { inherit user home; })
     (import ./gitea { inherit user home; })
     (import ./grafana { inherit user home; })

hosts/jupiter/users/storm/configs/console/podman/sish/default.nix

@@ -11,7 +11,15 @@ let
   inherit (hmConfig.virtualisation.quadlet) networks;
 in
 {
-  networking.firewall.allowedTCPPorts = [ 2222 ];
+  networking.firewall = {
+    allowedTCPPorts = [ 2222 ];
+    allowedTCPPortRanges = [
+      {
+        from = 61000;
+        to = 61999;
+      }
+    ];
+  };
 
   home-manager.users.${user} = {
     sops.secrets."sish/ssh/key".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
@@ -32,7 +40,6 @@ in
                 name = "authorized_keys";
                 text = lib.strings.concatStringsSep "\n" [
                   (builtins.readFile "${inputs.secrets}/domains/personal/id_ed25519.pub")
-                  (builtins.readFile "${inputs.secrets}/domains/sas/id_globalprotect_ed25519.pub")
                 ];
               };
             in
@@ -45,7 +52,10 @@ in
             "traefik.http.routers.sish.rule=HostRegexp(`^(.+\.)?tunnel\.karaolidis\.com$`)"
             "traefik.http.services.sish.loadbalancer.server.port=80"
           ];
-          publishPorts = [ "2222:2222/tcp" ];
+          publishPorts = [
+            "2222:2222/tcp"
+            "61000-61999:61000-61999/tcp"
+          ];
           exec = [
             "--ssh-address=0.0.0.0:2222"
             "--http-address=0.0.0.0:80"
@@ -56,6 +66,7 @@ in
             "--bind-random-ports=false"
             "--bind-random-aliases=false"
             "--bind-random-subdomains=false"
+            "--port-bind-range=61000-61999"
             "--welcome-message=\"\""
             "--domain=tunnel.karaolidis.com"
             "--proxy-ssl-termination=true"

hosts/jupiter/users/storm/default.nix

@@ -14,6 +14,7 @@ in
   imports = [
     (import ../../../common/configs/user { inherit user home; })
 
+    (import ../../../common/configs/user/console/attic { inherit user home; })
     (import ../../../common/configs/user/console/brightnessctl { inherit user home; })
     (import ../../../common/configs/user/console/btop { inherit user home; })
     (import ../../../common/configs/user/console/home-manager { inherit user home; })

overlays/attic-client/default.nix

@@ -0,0 +1,5 @@
+final: prev:
+# FIXME: https://github.com/zhaofengli/attic/pull/280
+prev.attic-client.overrideAttrs (oldAttrs: {
+  patches = oldAttrs.patches or [ ] ++ [ ./stdout-logging.patch ];
+})

overlays/attic-client/stdout-logging.patch

@@ -0,0 +1,321 @@
+diff --git a/client/src/command/cache.rs b/client/src/command/cache.rs
+index af01378..0602b3b 100644
+--- a/client/src/command/cache.rs
++++ b/client/src/command/cache.rs
+@@ -189,7 +189,7 @@ async fn create_cache(sub: Create) -> Result<()> {
+     };
+ 
+     api.create_cache(cache, request).await?;
+-    eprintln!(
++    println!(
+         "✨ Created cache \"{}\" on \"{}\"",
+         cache.as_str(),
+         server_name.as_str()
+@@ -239,7 +239,7 @@ async fn configure_cache(sub: Configure) -> Result<()> {
+     let api = ApiClient::from_server_config(server.clone())?;
+     api.configure_cache(cache, &patch).await?;
+ 
+-    eprintln!(
++    println!(
+         "✅ Configured \"{}\" on \"{}\"",
+         cache.as_str(),
+         server_name.as_str()
+@@ -254,12 +254,12 @@ async fn destroy_cache(sub: Destroy) -> Result<()> {
+     let (server_name, server, cache) = config.resolve_cache(&sub.cache)?;
+ 
+     if !sub.no_confirm {
+-        eprintln!("When you destory a cache:");
+-        eprintln!();
+-        eprintln!("1. Everyone will lose access.");
+-        eprintln!("2. The underlying data won't be deleted immediately.");
+-        eprintln!("3. You may not be able to create a cache of the same name.");
+-        eprintln!();
++        println!("When you destory a cache:");
++        println!();
++        println!("1. Everyone will lose access.");
++        println!("2. The underlying data won't be deleted immediately.");
++        println!("3. You may not be able to create a cache of the same name.");
++        println!();
+ 
+         let answer: String = Input::new()
+             .with_prompt(format!(
+@@ -278,7 +278,7 @@ async fn destroy_cache(sub: Destroy) -> Result<()> {
+     let api = ApiClient::from_server_config(server.clone())?;
+     api.destroy_cache(cache).await?;
+ 
+-    eprintln!("🗑️ The cache was destroyed.");
++    println!("🗑️ The cache was destroyed.");
+ 
+     Ok(())
+ }
+@@ -291,40 +291,40 @@ async fn show_cache_config(sub: Info) -> Result<()> {
+     let cache_config = api.get_cache_config(cache).await?;
+ 
+     if let Some(is_public) = cache_config.is_public {
+-        eprintln!("               Public: {}", is_public);
++        println!("               Public: {}", is_public);
+     }
+ 
+     if let Some(public_key) = cache_config.public_key {
+-        eprintln!("           Public Key: {}", public_key);
++        println!("           Public Key: {}", public_key);
+     }
+ 
+     if let Some(substituter_endpoint) = cache_config.substituter_endpoint {
+-        eprintln!("Binary Cache Endpoint: {}", substituter_endpoint);
++        println!("Binary Cache Endpoint: {}", substituter_endpoint);
+     }
+ 
+     if let Some(api_endpoint) = cache_config.api_endpoint {
+-        eprintln!("         API Endpoint: {}", api_endpoint);
++        println!("         API Endpoint: {}", api_endpoint);
+     }
+ 
+     if let Some(store_dir) = cache_config.store_dir {
+-        eprintln!("      Store Directory: {}", store_dir);
++        println!("      Store Directory: {}", store_dir);
+     }
+ 
+     if let Some(priority) = cache_config.priority {
+-        eprintln!("             Priority: {}", priority);
++        println!("             Priority: {}", priority);
+     }
+ 
+     if let Some(upstream_cache_key_names) = cache_config.upstream_cache_key_names {
+-        eprintln!("  Upstream Cache Keys: {:?}", upstream_cache_key_names);
++        println!("  Upstream Cache Keys: {:?}", upstream_cache_key_names);
+     }
+ 
+     if let Some(retention_period) = cache_config.retention_period {
+         match retention_period {
+             RetentionPeriodConfig::Period(period) => {
+-                eprintln!("     Retention Period: {:?}", period);
++                println!("     Retention Period: {:?}", period);
+             }
+             RetentionPeriodConfig::Global => {
+-                eprintln!("     Retention Period: Global Default");
++                println!("     Retention Period: Global Default");
+             }
+         }
+     }
+diff --git a/client/src/command/login.rs b/client/src/command/login.rs
+index 9abcea7..6cadd59 100644
+--- a/client/src/command/login.rs
++++ b/client/src/command/login.rs
+@@ -28,7 +28,7 @@ pub async fn run(opts: Opts) -> Result<()> {
+     let mut config_m = config.as_mut();
+ 
+     if let Some(server) = config_m.servers.get_mut(&sub.name) {
+-        eprintln!("✍️ Overwriting server \"{}\"", sub.name.as_str());
++        println!("✍️ Overwriting server \"{}\"", sub.name.as_str());
+ 
+         server.endpoint = sub.endpoint.to_owned();
+ 
+@@ -38,7 +38,7 @@ pub async fn run(opts: Opts) -> Result<()> {
+             });
+         }
+     } else {
+-        eprintln!("✍️ Configuring server \"{}\"", sub.name.as_str());
++        println!("✍️ Configuring server \"{}\"", sub.name.as_str());
+ 
+         config_m.servers.insert(
+             sub.name.to_owned(),
+diff --git a/client/src/command/push.rs b/client/src/command/push.rs
+index b2bb661..5d39549 100644
+--- a/client/src/command/push.rs
++++ b/client/src/command/push.rs
+@@ -91,7 +91,7 @@ impl PushContext {
+ 
+             return Ok(());
+         } else {
+-            eprintln!("⚙️ Pushing {num_missing_paths} paths to \"{cache}\" on \"{server}\" ({num_already_cached} already cached, {num_upstream} in upstream)...",
++            println!("⚙️ Pushing {num_missing_paths} paths to \"{cache}\" on \"{server}\" ({num_already_cached} already cached, {num_upstream} in upstream)...",
+                 cache = self.cache_name.as_str(),
+                 server = self.server_name.as_str(),
+                 num_missing_paths = plan.store_path_map.len(),
+diff --git a/client/src/command/use.rs b/client/src/command/use.rs
+index 37d8cd6..d87f65e 100644
+--- a/client/src/command/use.rs
++++ b/client/src/command/use.rs
+@@ -34,15 +34,15 @@ pub async fn run(opts: Opts) -> Result<()> {
+     let public_key = cache_config.public_key
+         .ok_or_else(|| anyhow!("The server did not tell us which public key it uses. Is signing managed by the client?"))?;
+ 
+-    eprintln!(
++    println!(
+         "Configuring Nix to use \"{cache}\" on \"{server_name}\":",
+         cache = cache.as_str(),
+         server_name = server_name.as_str(),
+     );
+ 
+     // Modify nix.conf
+-    eprintln!("+ Substituter: {}", substituter);
+-    eprintln!("+ Trusted Public Key: {}", public_key);
++    println!("+ Substituter: {}", substituter);
++    println!("+ Trusted Public Key: {}", public_key);
+ 
+     let mut nix_config = NixConfig::load().await?;
+     nix_config.add_substituter(&substituter);
+@@ -50,7 +50,7 @@ pub async fn run(opts: Opts) -> Result<()> {
+ 
+     // Modify netrc
+     if let Some(token) = server.token()? {
+-        eprintln!("+ Access Token");
++        println!("+ Access Token");
+ 
+         let mut nix_netrc = NixNetrc::load().await?;
+         let host = Url::parse(&substituter)?
+diff --git a/client/src/command/watch_store.rs b/client/src/command/watch_store.rs
+index 24eaf7a..aec0c33 100644
+--- a/client/src/command/watch_store.rs
++++ b/client/src/command/watch_store.rs
+@@ -91,7 +91,7 @@ pub async fn run(opts: Opts) -> Result<()> {
+ 
+     watcher.watch(&store_dir, RecursiveMode::NonRecursive)?;
+ 
+-    eprintln!(
++    println!(
+         "👀 Pushing new store paths to \"{cache}\" on \"{server}\"",
+         cache = cache.as_str(),
+         server = server_name.as_str(),
+diff --git a/client/src/push.rs b/client/src/push.rs
+index 309bd4b..2fea414 100644
+--- a/client/src/push.rs
++++ b/client/src/push.rs
+@@ -595,7 +595,7 @@ pub async fn upload_path(
+             };
+ 
+             mp.suspend(|| {
+-                eprintln!(
++                println!(
+                     "✅ {} ({})",
+                     path.as_os_str().to_string_lossy(),
+                     info_string
+diff --git a/server/src/database/migration/m20230112_000004_migrate_nar_remote_files_to_chunks.rs b/server/src/database/migration/m20230112_000004_migrate_nar_remote_files_to_chunks.rs
+index 42d70a6..6bbe585 100644
+--- a/server/src/database/migration/m20230112_000004_migrate_nar_remote_files_to_chunks.rs
++++ b/server/src/database/migration/m20230112_000004_migrate_nar_remote_files_to_chunks.rs
+@@ -24,7 +24,7 @@ impl MigrationTrait for Migration {
+         // When this migration is run, we assume that there are no
+         // preexisting chunks.
+ 
+-        eprintln!("* Migrating NARs to chunks...");
++        println!("* Migrating NARs to chunks...");
+ 
+         // Add a temporary column into `chunk` to store the related `nar_id`.
+         manager
+diff --git a/server/src/database/migration/m20230112_000005_drop_old_nar_columns.rs b/server/src/database/migration/m20230112_000005_drop_old_nar_columns.rs
+index 9d29b66..7436b4a 100644
+--- a/server/src/database/migration/m20230112_000005_drop_old_nar_columns.rs
++++ b/server/src/database/migration/m20230112_000005_drop_old_nar_columns.rs
+@@ -16,7 +16,7 @@ impl MigrationName for Migration {
+ #[async_trait::async_trait]
+ impl MigrationTrait for Migration {
+     async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
+-        eprintln!("* Migrating NAR schema...");
++        println!("* Migrating NAR schema...");
+ 
+         if manager.get_database_backend() == DatabaseBackend::Sqlite {
+             // Just copy all data to a new table
+diff --git a/server/src/lib.rs b/server/src/lib.rs
+index 0314e69..89644e1 100644
+--- a/server/src/lib.rs
++++ b/server/src/lib.rs
+@@ -217,7 +217,7 @@ async fn fallback(_: Uri) -> ServerResult<()> {
+ 
+ /// Runs the API server.
+ pub async fn run_api_server(cli_listen: Option<SocketAddr>, config: Config) -> Result<()> {
+-    eprintln!("Starting API server...");
++    println!("Starting API server...");
+ 
+     let state = StateInner::new(config).await;
+ 
+@@ -239,7 +239,7 @@ pub async fn run_api_server(cli_listen: Option<SocketAddr>, config: Config) -> R
+         .layer(TraceLayer::new_for_http())
+         .layer(CatchPanicLayer::new());
+ 
+-    eprintln!("Listening on {:?}...", listen);
++    println!("Listening on {:?}...", listen);
+ 
+     let listener = TcpListener::bind(&listen).await?;
+ 
+@@ -256,7 +256,7 @@ pub async fn run_api_server(cli_listen: Option<SocketAddr>, config: Config) -> R
+ 
+ /// Runs database migrations.
+ pub async fn run_migrations(config: Config) -> Result<()> {
+-    eprintln!("Running migrations...");
++    println!("Running migrations...");
+ 
+     let state = StateInner::new(config).await;
+     let db = state.database().await?;
+diff --git a/server/src/main.rs b/server/src/main.rs
+index c5f08df..3a37c23 100644
+--- a/server/src/main.rs
++++ b/server/src/main.rs
+@@ -121,14 +121,14 @@ fn init_logging(tokio_console: bool) {
+         .init();
+ 
+     if tokio_console {
+-        eprintln!("Note: tokio-console is enabled");
++        println!("Note: tokio-console is enabled");
+     }
+ }
+ 
+ fn dump_version() {
+     #[cfg(debug_assertions)]
+-    eprintln!("Attic Server {} (debug)", env!("CARGO_PKG_VERSION"));
++    println!("Attic Server {} (debug)", env!("CARGO_PKG_VERSION"));
+ 
+     #[cfg(not(debug_assertions))]
+-    eprintln!("Attic Server {} (release)", env!("CARGO_PKG_VERSION"));
++    println!("Attic Server {} (release)", env!("CARGO_PKG_VERSION"));
+ }
+diff --git a/server/src/oobe.rs b/server/src/oobe.rs
+index d3d912d..98ef88c 100644
+--- a/server/src/oobe.rs
++++ b/server/src/oobe.rs
+@@ -77,25 +77,25 @@ pub async fn run_oobe() -> Result<()> {
+         token.encode(&SignatureType::RS256(key), &None, &None)?
+     };
+ 
+-    eprintln!();
+-    eprintln!("-----------------");
+-    eprintln!("Welcome to Attic!");
+-    eprintln!();
+-    eprintln!("A simple setup using SQLite and local storage has been configured for you in:");
+-    eprintln!();
+-    eprintln!("    {}", config_path.to_str().unwrap());
+-    eprintln!();
+-    eprintln!("Run the following command to log into this server:");
+-    eprintln!();
+-    eprintln!("    attic login local http://localhost:8080 {root_token}");
+-    eprintln!();
+-    eprintln!("Documentations and guides:");
+-    eprintln!();
+-    eprintln!("    https://docs.attic.rs");
+-    eprintln!();
+-    eprintln!("Enjoy!");
+-    eprintln!("-----------------");
+-    eprintln!();
++    println!();
++    println!("-----------------");
++    println!("Welcome to Attic!");
++    println!();
++    println!("A simple setup using SQLite and local storage has been configured for you in:");
++    println!();
++    println!("    {}", config_path.to_str().unwrap());
++    println!();
++    println!("Run the following command to log into this server:");
++    println!();
++    println!("    attic login local http://localhost:8080 {root_token}");
++    println!();
++    println!("Documentations and guides:");
++    println!();
++    println!("    https://docs.attic.rs");
++    println!();
++    println!("Enjoy!");
++    println!("-----------------");
++    println!();
+ 
+     Ok(())
+ }

overlays/default.nix

@@ -1,17 +1,19 @@
 final: prev:
 {
   android-tools = import ./android-tools final prev;
+  attic-client = import ./attic-client final prev;
   darktable = import ./darktable final prev;
   hyprland = import ./hyprland final prev;
   mpv = import ./mpv final prev;
-  ncspot = import ./ncspot final prev;
   spicetify-cli = import ./spicetify-cli final prev;
+  tea = import ./tea final prev;
   telepresence = import ./telepresence final prev;
 }
 // (import ../packages { pkgs = final; })
 // {
   dockerImages = prev.dockerImages or { } // {
     adguardhome = final.docker-image-adguardhome;
+    attic = final.docker-image-attic;
     authelia = final.docker-image-authelia;
     base = final.docker-image-base;
     comentario = final.docker-image-comentario;
@@ -82,6 +84,7 @@ final: prev:
   };
 
   sshKnownHosts = prev.sshKnownHosts or { } // {
+    gitea = final.ssh-known-hosts-gitea;
     github = final.ssh-known-hosts-github;
     gitlab = final.ssh-known-hosts-gitlab;
   };

overlays/ncspot/default.nix

@@ -1,15 +0,0 @@
-final: prev:
-# FIXME: https://github.com/hrkfdn/ncspot/issues/1681#issuecomment-3186274719
-prev.ncspot.overrideAttrs (oldAttrs: rec {
-  src = prev.fetchFromGitHub {
-    owner = "hrkfdn";
-    repo = "ncspot";
-    rev = "aac67d631f25bbc79f509d34aa85e6daff954830";
-    hash = "sha256-B6BA1ksfDEySZH6gzkU5khOzwXAmeHbMHsx3sXd9lbs=";
-  };
-
-  cargoDeps = prev.rustPlatform.fetchCargoVendor {
-    inherit src;
-    hash = "sha256-HrQJiIzSvu/vR03UdnCcU6TGToBDKKDC6XscjvX3KPE=";
-  };
-})

overlays/tea/default.nix

@@ -0,0 +1,10 @@
+final: prev:
+prev.tea.overrideAttrs (oldAttrs: {
+  patches = oldAttrs.patches or [ ] ++ [
+    (builtins.fetchurl {
+      url = "https://gitea.com/gitea/tea/pulls/639.patch";
+      sha256 = "sha256:0c5gpi6aajd3h0wp7lrvj5qk9wsqhgbap7ijvl0x117v0g8mgzvs";
+    })
+    ./instance-ssh-host-env.patch
+  ];
+})

overlays/tea/instance-ssh-host-env.patch

@@ -0,0 +1,174 @@
+diff --git a/modules/config/login.go b/modules/config/login.go
+index 3b77fb9..94de9cd 100644
+--- a/modules/config/login.go
++++ b/modules/config/login.go
+@@ -13,6 +13,7 @@ import (
+ 	"net/http/cookiejar"
+ 	"net/url"
+ 	"os"
++	"strconv"
+ 	"strings"
+ 	"time"
+ 
+@@ -200,6 +201,63 @@ func UpdateLogin(login *Login) error {
+ 	return saveConfig()
+ }
+ 
++// CreateLoginFromEnvVars returns a login based on environment variables, or nil if no login can be created
++func CreateLoginFromEnvVars() (*Login, error) {
++	var token string
++
++	giteaToken := os.Getenv("GITEA_TOKEN")
++	githubToken := os.Getenv("GH_TOKEN")
++	giteaInstanceURL := os.Getenv("GITEA_INSTANCE_URL")
++	instanceInsecure := os.Getenv("GITEA_INSTANCE_INSECURE")
++	giteaInstanceSSHHost := os.Getenv("GITEA_INSTANCE_SSH_HOST")
++	insecure := false
++	if len(instanceInsecure) > 0 {
++		insecure, _ = strconv.ParseBool(instanceInsecure)
++	}
++
++	// if no tokens are set, or no instance url for gitea fail fast
++	if len(giteaInstanceURL) == 0 || (len(giteaToken) == 0 && len(githubToken) == 0) {
++		return nil, nil
++	}
++
++	token = giteaToken
++	if len(giteaToken) == 0 {
++		token = githubToken
++	}
++
++	login := &Login{
++		Name:              "GITEA_LOGIN_VIA_ENV",
++		URL:               giteaInstanceURL,
++		Token:             token,
++		SSHHost:           giteaInstanceSSHHost,
++		Insecure:          insecure,
++		SSHKey:            "",
++		SSHCertPrincipal:  "",
++		SSHKeyFingerprint: "",
++		SSHAgent:          false,
++		VersionCheck:      true,
++		Created:           time.Now().Unix(),
++	}
++
++	client := login.Client()
++	u, _, err := client.GetMyUserInfo()
++	if err != nil {
++		return nil, fmt.Errorf("failed to validate token: %s", err)
++	}
++
++	login.User = u.UserName
++
++	if login.SSHHost == "" {
++		parsedURL, err := url.Parse(giteaInstanceURL)
++		if err != nil {
++			return nil, err
++		}
++		login.SSHHost = parsedURL.Host
++	}
++
++	return login, nil
++}
++
+ // Client returns a client to operate Gitea API. You may provide additional modifiers
+ // for the client like gitea.SetBasicAuth() for customization
+ func (l *Login) Client(options ...gitea.ClientOption) *gitea.Client {
+diff --git a/modules/context/context.go b/modules/context/context.go
+index aec5592..636eeec 100644
+--- a/modules/context/context.go
++++ b/modules/context/context.go
+@@ -9,9 +9,7 @@ import (
+ 	"log"
+ 	"os"
+ 	"path"
+-	"strconv"
+ 	"strings"
+-	"time"
+ 
+ 	"code.gitea.io/tea/modules/config"
+ 	"code.gitea.io/tea/modules/git"
+@@ -108,16 +106,6 @@ func InitCommand(cmd *cli.Command) *TeaContext {
+ 		c.RepoSlug = repoFlag
+ 	}
+ 
+-	// override config user with env variable
+-	envLogin := GetLoginByEnvVar()
+-	if envLogin != nil {
+-		_, err := utils.ValidateAuthenticationMethod(envLogin.URL, envLogin.Token, "", "", false, "", "")
+-		if err != nil {
+-			log.Fatal(err.Error())
+-		}
+-		c.Login = envLogin
+-	}
+-
+ 	// override login from flag, or use default login if repo based detection failed
+ 	if len(loginFlag) != 0 {
+ 		c.Login = config.GetLoginByName(loginFlag)
+@@ -196,10 +184,25 @@ func contextFromLocalRepo(repoPath, remoteValue string) (*git.TeaRepo, *config.L
+ 		return repo, nil, "", fmt.Errorf("Remote '%s' not found in this Git repository", remoteValue)
+ 	}
+ 
++	envLogin, err := config.CreateLoginFromEnvVars()
++	if err != nil {
++		log.Fatal(err.Error())
++	}
++
+ 	logins, err := config.GetLogins()
+ 	if err != nil {
+ 		return repo, nil, "", err
+ 	}
++
++	if envLogin != nil {
++		_, err := utils.ValidateAuthenticationMethod(envLogin.URL, envLogin.Token, "", "", false, "", "")
++		if err != nil {
++			log.Fatal(err.Error())
++		}
++
++		logins = append([]config.Login{*envLogin}, logins...)
++	}
++
+ 	for _, l := range logins {
+ 		sshHost := l.GetSSHHost()
+ 		for _, u := range remoteConfig.URLs {
+@@ -223,40 +226,3 @@ func contextFromLocalRepo(repoPath, remoteValue string) (*git.TeaRepo, *config.L
+ 
+ 	return repo, nil, "", errNotAGiteaRepo
+ }
+-
+-// GetLoginByEnvVar returns a login based on environment variables, or nil if no login can be created
+-func GetLoginByEnvVar() *config.Login {
+-	var token string
+-
+-	giteaToken := os.Getenv("GITEA_TOKEN")
+-	githubToken := os.Getenv("GH_TOKEN")
+-	giteaInstanceURL := os.Getenv("GITEA_INSTANCE_URL")
+-	instanceInsecure := os.Getenv("GITEA_INSTANCE_INSECURE")
+-	insecure := false
+-	if len(instanceInsecure) > 0 {
+-		insecure, _ = strconv.ParseBool(instanceInsecure)
+-	}
+-
+-	// if no tokens are set, or no instance url for gitea fail fast
+-	if len(giteaInstanceURL) == 0 || (len(giteaToken) == 0 && len(githubToken) == 0) {
+-		return nil
+-	}
+-
+-	token = giteaToken
+-	if len(giteaToken) == 0 {
+-		token = githubToken
+-	}
+-
+-	return &config.Login{
+-		Name:              "GITEA_LOGIN_VIA_ENV",
+-		URL:               giteaInstanceURL,
+-		Token:             token,
+-		Insecure:          insecure,
+-		SSHKey:            "",
+-		SSHCertPrincipal:  "",
+-		SSHKeyFingerprint: "",
+-		SSHAgent:          false,
+-		Created:           time.Now().Unix(),
+-		VersionCheck:      false,
+-	}
+-}

packages/comentario/default.nix

@@ -2,14 +2,14 @@
 # AUTO-UPDATE: nix-update --flake comentario --version=branch=dev --subpackage frontend
 pkgs.buildGoModule (finalAttrs: {
   pname = "comentario";
-  version = "3.14.0-unstable-2025-08-08";
+  version = "3.14.0-unstable-2025-08-29";
 
   src = pkgs.fetchFromGitLab {
     owner = "comentario";
     repo = "comentario";
     # FIXME: Stable rev once type error is fixed
-    rev = "7380d55820827db82f9d191ad82cd35cdbf08cfa";
-    hash = "sha256-uWpHrI4K/VfekW4PDaJXyqjyCGXbYnsGwV0OCSsfw3s=";
+    rev = "90773f976366318389f9d5aa457e6303e6159740";
+    hash = "sha256-f0Y+OdbsG8eA2kD17b4QWaL0hAuoF476XtYm/aFOmLY=";
   };
 
   patches = [
@@ -37,7 +37,7 @@ pkgs.buildGoModule (finalAttrs: {
     missingHashes = ./missing-hashes.json;
     offlineCache = pkgs.yarn-berry.fetchYarnBerryDeps {
       inherit (finalFrontendAttrs) src patches missingHashes;
-      hash = "sha256-HGxWvdFDTCPoDD6ry30gfprvpDAMoQJ0RHMkCzOcVRs=";
+      hash = "sha256-bn/PNgk7ZjCzGSj7BQQCB+5RY+ivJGYZa2/GC4eRjPY=";
     };
 
     nativeBuildInputs = with pkgs; [

packages/darktable/lua-scripts/default.nix

@@ -2,13 +2,13 @@
 # AUTO-UPDATE: nix-update --flake --version=branch=master darktable-lua-scripts
 pkgs.stdenv.mkDerivation {
   pname = "lua-scripts";
-  version = "release-2.0.0-unstable-2025-07-05";
+  version = "release-2.0.0-unstable-2025-08-18";
 
   src = pkgs.fetchFromGitHub {
     owner = "darktable-org";
     repo = "lua-scripts";
-    rev = "aed3275943f218e559c58b98579ceafb02e220da";
-    hash = "sha256-vRE0kxqbjdjwU+S0Eu44ctYulYPgD0XsrTsz1ESq6t0=";
+    rev = "c95547caa72f7b136b5192dd19a535da3fbe4e9b";
+    hash = "sha256-Qt3DkmNH/ZWY3uI8UvhSM4dDt7KDQlJqOnPmsySGGwU=";
   };
 
   installPhase = ''

packages/default.nix

@@ -6,6 +6,7 @@
   darktable-lua-scripts = import ./darktable/lua-scripts { inherit pkgs; };
 
   docker-image-adguardhome = import ./docker/adguardhome { inherit pkgs; };
+  docker-image-attic = import ./docker/attic { inherit pkgs; };
   docker-image-authelia = import ./docker/authelia { inherit pkgs; };
   docker-image-base = import ./docker/base { inherit pkgs; };
   docker-image-comentario = import ./docker/comentario { inherit pkgs; };
@@ -86,6 +87,7 @@
   shlink = import ./shlink { inherit pkgs; };
   shlink-web-client = import ./shlink-web-client { inherit pkgs; };
 
+  ssh-known-hosts-gitea = import ./ssh/known-hosts/gitea { inherit pkgs; };
   ssh-known-hosts-github = import ./ssh/known-hosts/github { inherit pkgs; };
   ssh-known-hosts-gitlab = import ./ssh/known-hosts/gitlab { inherit pkgs; };
 

packages/docker/attic/default.nix

@@ -0,0 +1,34 @@
+{ pkgs, ... }:
+let
+  entrypoint = pkgs.writeTextFile {
+    name = "entrypoint";
+    executable = true;
+    destination = "/bin/entrypoint";
+    text = builtins.readFile ./entrypoint.sh;
+  };
+in
+pkgs.dockerTools.buildImage {
+  name = "attic";
+  fromImage = pkgs.docker-image-base;
+
+  copyToRoot = pkgs.buildEnv {
+    name = "root";
+    paths = with pkgs; [
+      entrypoint
+      attic-server
+      attic-client
+    ];
+    pathsToLink = [ "/bin" ];
+  };
+
+  config = {
+    Entrypoint = [ "entrypoint" ];
+    ExposedPorts = {
+      "8080/tcp" = { };
+    };
+    WorkingDir = "/var/lib/atticd";
+    Volumes = {
+      "/var/lib/atticd" = { };
+    };
+  };
+}

packages/docker/attic/entrypoint.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+
+set -o errexit
+set -o nounset
+
+atticd "$@" &
+PID=$!
+
+if [ -f /etc/attic/post-start.sh ]; then
+  # shellcheck disable=SC1091
+  . /etc/attic/post-start.sh
+fi
+
+trap 'kill -KILL "$PID"' INT TERM
+wait "$PID"
+exit $?

packages/littlelink-server/default.nix

@@ -2,18 +2,18 @@
 # AUTO-UPDATE: nix-update --flake --version=branch=master littlelink-server
 pkgs.stdenv.mkDerivation (finalAttrs: {
   pname = "littlelink-server";
-  version = "0-unstable-2025-07-30";
+  version = "0-unstable-2025-08-25";
 
   src = pkgs.fetchFromGitHub {
     owner = "techno-tim";
     repo = "littlelink-server";
-    rev = "bc1b832bfa02bd901d3592820bb9f2eaa6b65b30";
-    hash = "sha256-5IDwp/mv0mRsLPxbzZfYxV3hE0U2iJEJitj5OlEhVvs=";
+    rev = "9c65c4f389a92b2bf2ca85e545960ef3be4e72e9";
+    hash = "sha256-nd3dMWuYz2Af5XokTgMJdF0U2L98EW6CVuDGSXSOlls=";
   };
 
   offlineCache = pkgs.fetchYarnDeps {
     yarnLock = finalAttrs.src + "/yarn.lock";
-    hash = "sha256-HbidudAixPNkW3/TAjcDnVZoMyrHein4+sV0QGaZWIo=";
+    hash = "sha256-Ikd2PUBIPTTv7e08HbANk4chwMtObyZtnd6pyiWKqps=";
   };
 
   nativeBuildInputs = with pkgs; [

packages/obsidian/plugins/dataview/default.nix

@@ -12,8 +12,8 @@ pkgs.buildNpmPackage (finalAttrs: {
   };
 
   patches = [ ./package-lock.patch ];
-  makeCacheWritable = true;
 
+  makeCacheWritable = true;
   npmDepsHash = "sha256-9RZCDzY9ETs7DPQfBxig92rhA2iCOOKVqwbUJeTGqrY=";
   npmPackFlags = [ "--ignore-scripts" ];
 

packages/obsidian/plugins/excalidraw/default.nix

@@ -2,13 +2,13 @@
 # AUTO-UPDATE: nix-update --flake obsidian-plugin-excalidraw --subpackage mathjaxToSVG
 pkgs.buildNpmPackage (finalAttrs: {
   pname = "obsidian.plugins.excalidraw";
-  version = "2.14.3";
+  version = "2.15.1";
 
   pkg = pkgs.fetchFromGitHub {
     owner = "zsviczian";
     repo = "obsidian-excalidraw-plugin";
     rev = finalAttrs.version;
-    hash = "sha256-cZAxCJFlw+ShO5YQDkzw58Y4W+cqRb9oyjp/xHRX6cE=";
+    hash = "sha256-EsyR5PTZkR+/+5F9mteZ06smbX0mhxtbagO6ZDloHgs=";
   };
 
   mathjaxToSVG = pkgs.buildNpmPackage {
@@ -32,7 +32,7 @@ pkgs.buildNpmPackage (finalAttrs: {
 
   patches = [ ./package-lock.patch ];
 
-  npmDepsHash = "sha256-OKIK8zyadoAmX5BciqJzhHM8cl0vRnCywlMrNhcUWHI=";
+  npmDepsHash = "sha256-QuhHPLjPpZNKZH7qhOr77CCZS9+ls35+ka4WYOEt4zI=";
   npmPackFlags = [ "--ignore-scripts" ];
 
   configurePhase = ''

packages/obsidian/plugins/excalidraw/package-lock.patch

@@ -1,13 +1,13 @@
 diff --git a/package-lock.json b/package-lock.json
-index 033dbdd..fcb5477 100644
+index 21d66bd..fc0b033 100644
 --- a/package-lock.json
 +++ b/package-lock.json
 @@ -11,7 +11,7 @@
        "dependencies": {
          "@popperjs/core": "^2.11.8",
          "@zsviczian/colormaster": "^1.2.2",
--        "@zsviczian/excalidraw": "0.18.0-27",
-+        "@zsviczian/excalidraw": "0.18.0-30",
+-        "@zsviczian/excalidraw": "0.18.0-31",
++        "@zsviczian/excalidraw": "0.18.0-37",
          "chroma-js": "^3.1.2",
          "clsx": "^2.0.0",
          "es6-promise-pool": "2.5.0",
@@ -15,12 +15,12 @@ index 033dbdd..fcb5477 100644
        "license": "MIT"
      },
      "node_modules/@zsviczian/excalidraw": {
--      "version": "0.18.0-27",
--      "resolved": "https://registry.npmjs.org/@zsviczian/excalidraw/-/excalidraw-0.18.0-27.tgz",
--      "integrity": "sha512-cigzCO65+EB+Y4G9LYEK/kVf2R3nNqNjEhGWqi5tZ0AcHEKPsMHAn6CtU36V6crRdojZLtyg5RASIdkxy4zZCA==",
-+      "version": "0.18.0-30",
-+      "resolved": "https://registry.npmjs.org/@zsviczian/excalidraw/-/excalidraw-0.18.0-30.tgz",
-+      "integrity": "sha512-jeiejbAqCPq1kg76kxNV2+PpBf8yDCdcgPqZ6O4TOX+2IKpw0/K9Y16VPjGDO7SWGRBCi82WM98Vf09tdl5KaQ==",
+-      "version": "0.18.0-31",
+-      "resolved": "https://registry.npmjs.org/@zsviczian/excalidraw/-/excalidraw-0.18.0-31.tgz",
+-      "integrity": "sha512-A1wyp8EVOhCdoxdX7middc8LoLpjPLtxiSTeBbdMtungl8VQzAcQ2tSGCkncK/8RBcBaUk44Hr6KcWjezHnQew==",
++      "version": "0.18.0-37",
++      "resolved": "https://registry.npmjs.org/@zsviczian/excalidraw/-/excalidraw-0.18.0-37.tgz",
++      "integrity": "sha512-SC4a6wj6IzE9HucxImDoOPcojojW/8FSry1hSA+hXfU350DhY6VlpFQ1DHJMPqVgIkFHB/hbCHt3klV+66+ouw==",
 +      "license": "MIT",
        "dependencies": {
          "@braintree/sanitize-url": "6.0.2",

packages/obsidian/plugins/tasks/default.nix

@@ -2,18 +2,18 @@
 # AUTO-UPDATE: nix-update --flake obsidian-plugin-tasks
 pkgs.stdenv.mkDerivation (finalAttrs: {
   pname = "tasks";
-  version = "7.20.0";
+  version = "7.21.0";
 
   src = pkgs.fetchFromGitHub {
     owner = "obsidian-tasks-group";
     repo = "obsidian-tasks";
     rev = finalAttrs.version;
-    hash = "sha256-K9/H2BgruB1O9KwW+xoiCsuXFfu6o4xZDCI40OEmh+o=";
+    hash = "sha256-/7vTXAsMHWOopscdKldbXpvQvEl4qcnV3HpYClZWUsg=";
   };
 
   offlineCache = pkgs.fetchYarnDeps {
     yarnLock = finalAttrs.src + "/yarn.lock";
-    hash = "sha256-ecPZvpMQkL2o0X4qx6h1jwQVZrtTC3+Aj7n/SBLRQbo=";
+    hash = "sha256-PXMN/05G1FIiR93seJSBilZDzXMv3o3cXDaEOUC71s0=";
   };
 
   nativeBuildInputs = with pkgs; [

packages/obsidian/plugins/url-into-selection/default.nix

@@ -2,16 +2,16 @@
 # AUTO-UPDATE: nix-update --flake obsidian-plugin-url-into-selection
 pkgs.buildNpmPackage (finalAttrs: {
   pname = "url-into-selection";
-  version = "1.11.3";
+  version = "1.11.4";
 
   src = pkgs.fetchFromGitHub {
     owner = "denolehov";
     repo = "obsidian-url-into-selection";
     rev = finalAttrs.version;
-    hash = "sha256-B793Lpt/3ddj9xvpNSsiHjsa1yP7ZXhQFLBUPfCriAw=";
+    hash = "sha256-8yzx1ryMf7gRGbdD7zL3I1Q+W1RwcubTo42o6O3zCDY=";
   };
 
-  npmDepsHash = "sha256-DKjYtQ6KycPEms5BdyOXw6iNb9MgNOyJg8haL+cZHMk=";
+  npmDepsHash = "sha256-/EVidF6Wn/AFFgqYIJjUErpZyfliNtCSHMMS1n6GBew=";
   npmPackFlags = [ "--ignore-scripts" ];
 
   installPhase = ''

packages/obsidian/themes/minimal/default.nix

@@ -2,13 +2,13 @@
 # AUTO-UPDATE: nix-update --flake obsidian-theme-minimal
 pkgs.buildNpmPackage (finalAttrs: {
   pname = "minimal";
-  version = "8.0.3";
+  version = "8.0.4";
 
   src = pkgs.fetchFromGitHub {
     owner = "kepano";
     repo = "obsidian-minimal";
     rev = finalAttrs.version;
-    hash = "sha256-pLfmIRY/opTgxYsvyNa9MVN9NziCTrjDTM/oBfhxEc0=";
+    hash = "sha256-TGToK2k9zpd5LappqlkGgxJliXqE4HzsBq07c4IN+T4=";
   };
 
   npmDepsHash = "sha256-R+XeEkDP0MxNQsFCWmHXKtLBcmiOTv9Nw7t2e27kvQg=";

packages/oidcwarden/default.nix

@@ -3,16 +3,16 @@
 # FIXME: https://github.com/dani-garcia/vaultwarden/pull/3899
 pkgs.rustPlatform.buildRustPackage (finalAttrs: {
   pname = "oidcwarden";
-  version = "2025.6.1-3";
+  version = "2025.8.1-1";
 
   src = pkgs.fetchFromGitHub {
     owner = "Timshel";
     repo = "OIDCWarden";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-I4zOWIU8iBQeLMMQSVcKc3w+WodiZ6MDYnKR7H/+v0Y=";
+    hash = "sha256-yH2qewIV79hBDRn0KFj2mULpD2tTm5+8E2kIN8uMWHM=";
   };
 
-  cargoHash = "sha256-fMePvMnefdcN90Y3BPqcKNXyg7tUd64IOUnOQis/qTU=";
+  cargoHash = "sha256-ZPCRFBaISCIlPY/x3lTqxuePgZXcOLvgyOrw2XVcAVw=";
 
   env.VW_VERSION = finalAttrs.version;
 

packages/prometheus-podman-exporter/default.nix

@@ -2,13 +2,13 @@
 # AUTO-UPDATE: nix-update --flake prometheus-podman-exporter
 pkgs.buildGoModule (finalAttrs: {
   pname = "prometheus-podman-exporter";
-  version = "1.17.2";
+  version = "1.18.0";
 
   src = pkgs.fetchFromGitHub {
     owner = "containers";
     repo = "prometheus-podman-exporter";
     rev = "v${finalAttrs.version}";
-    hash = "sha256-TlQQbeYcCTZKF6DUKM+UE8iU9KC5tLpCtee62sNbW8s=";
+    hash = "sha256-hrecxJp78c8LruXTGRDU6zNWnyh+vwgCpVJsm026NYw=";
   };
 
   vendorHash = null;

packages/shlink-web-client/default.nix

@@ -2,16 +2,19 @@
 # AUTO-UPDATE: nix-update --flake shlink-web-client
 pkgs.buildNpmPackage (finalAttrs: {
   pname = "shlink-web-client";
-  version = "4.5.0";
+  version = "4.5.1";
 
   src = pkgs.fetchFromGitHub {
     owner = "shlinkio";
     repo = finalAttrs.pname;
     rev = "v${finalAttrs.version}";
-    hash = "sha256-pIB1WH5iRyr0yNjqxK+bC7qh5fSzYMdOzlut1ohjSkg=";
+    hash = "sha256-ieRTXAYlF0IOt/dlXuHUGvvT1J+TYVWaoNQbYZFLOZ4=";
   };
 
-  npmDepsHash = "sha256-Kn2hVMxQpNi3SwGElymNojaUyc/QMbi+9oIuFEkLeLw=";
+  patches = [ ./package-lock.patch ];
+
+  npmDepsHash = "sha256-q1LUimy7rQe3cKMZEI0SflGeUhthykLpcvJz1oLSkfY=";
+  npmFlags = [ "--legacy-peer-deps" ];
 
   homepage = "/web";
 

packages/shlink/default.nix

@@ -2,11 +2,11 @@
 # AUTO-UPDATE: nix-update --flake shlink
 pkgs.stdenv.mkDerivation (finalAttrs: {
   pname = "shlink";
-  version = "4.5.0";
+  version = "4.5.2";
 
   src = pkgs.fetchzip {
     url = "https://github.com/shlinkio/shlink/releases/download/v${finalAttrs.version}/shlink${finalAttrs.version}_php8.4_dist.zip";
-    sha256 = "sha256-IndszqEW3pUaBIHBh4eIkPF2sM/KawANAW1wWx8tRdU=";
+    sha256 = "sha256-1ZKC/o3IPPfVWxyAIkiaLN70XXLXHKalAvEG63Xrmes=";
   };
 
   installPhase = ''

packages/ssh/known-hosts/gitea/default.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+pkgs.stdenv.mkDerivation {
+  pname = "ssh-known-hosts-gitea";
+  version = "0-unstable-2025-09-01";
+
+  src = pkgs.lib.fetchers.sshKnownHosts {
+    host = "gitea.com";
+    hash = "sha256-xibPjdZdkUSQS+YLfVsanFfAEnKfAPxgRAz138sNJ6c=";
+  };
+
+  phases = [ "installPhase" ];
+
+  installPhase = ''
+    cp $src $out
+  '';
+}

scripts/cache.sh

@@ -0,0 +1,19 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+flake_json=$(nix flake show --json)
+
+build_and_push() {
+  local expr="$1"
+  nix build "$expr" --no-link --print-out-paths | while IFS= read -r path; do
+    attic push main "$path"
+  done
+}
+
+jq -r '.nixosConfigurations | keys[]' <<<"$flake_json" | while IFS= read -r cfg; do
+  expr=".#nixosConfigurations.\"$cfg\".config.system.build.toplevel"
+  build_and_push "$expr"
+done