Add grafana system & traefik dashboards

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>

.gitignore

@@ -0,0 +1,7 @@
+# ---> Nix
+# Ignore build outputs from performing a nix-build or `nix build` command
+result
+result-*
+
+# Ignore automatically generated direnv output
+.direnv

.gitlab-ci.yml

@@ -1,27 +0,0 @@
-stages:
-  - build
-  - test
-
-variables:
-  GIT_SUBMODULE_STRATEGY: recursive
-
-cache: &global_cache
-  key:
-    files:
-      - flake.lock
-      - flake.nix
-  paths:
-    - /nix/store
-  policy: pull-push
-
-build:
-  image: nixos/nix
-  stage: build
-  timeout: 48h
-  cache:
-    <<: *global_cache
-  script:
-    - nix --experimental-features 'nix-command flakes' flake check --show-trace
-
-include:
-  - template: Jobs/Secret-Detection.gitlab-ci.yml

.gitmodules

@@ -1,3 +1,9 @@
 [submodule "secrets"]
-	path = secrets
-	url = https://git.karaolidis.com/karaolidis/nix-secrets.git
+	path = submodules/secrets
+	url = git@karaolidis.com:karaolidis/nix-secrets.git
+[submodule "sas"]
+	path = submodules/sas
+	url = git@karaolidis.com:karaolidis/nix-sas.git
+[submodule "lib"]
+	path = submodules/lib
+	url = git@karaolidis.com:karaolidis/nix-lib.git

README.md

@@ -7,7 +7,6 @@ NixOS dotfiles and configuration for various hosts and users.
 - [`flake.lock`](./flake.lock) and [`flake.nix`](./flake.nix): Core Nix flake files defining the repository's dependencies and entry points.
 
 - [`hosts/`](./hosts): All host-specific configurations.
-
   - [`common/`](./hosts/common): Shared configuration definitions.
     - [`shells/`](./hosts/common/shells): Nix dev shells.
     - [`configs/`](./hosts/common/configs): System configurations applicable to all hosts.
@@ -17,15 +16,16 @@ NixOS dotfiles and configuration for various hosts and users.
         - [`gui/`](./hosts/common/configs/user/gui): GUI-related settings.
   - `<name>/`: Individual host configurations.
 
+- [`overlays/`](./overlays/): Custom patches.
+
 - [`packages/`](./packages/): Custom packages.
 
-- [`lib/`](./lib): Nix library function definitions and utilities.
-
-  - [`scripts/`](./lib/scripts): Utility scripts for managing the repository.
-    - [`add-host.sh`](./lib/scripts/add-host.sh): Instantiate the keys for a new host configuration.
-    - [`remove-host.sh`](./lib/scripts/remove-host.sh): Remove references to a host.
-    - [`update-keys.sh`](./lib/scripts/update-keys.sh): Update the encryption keys in all relevant files using `sops.yaml` configurations.
-    - [`update.sh`](./lib/scripts/update.sh): Update flake and all packages.
+- [`scripts/`](./scripts): Utility scripts for managing the repository.
+  - [`add-host.sh`](./scripts/add-host.sh): Instantiate the keys for a new host configuration.
+  - [`remove-host.sh`](./scripts/remove-host.sh): Remove references to a host.
+  - [`update-keys.sh`](./scripts/update-keys.sh): Update the encryption keys in all relevant files using `sops.yaml` configurations.
+  - [`update.sh`](./scripts/update.sh): Update flake and all packages.
+  - [`cache.sh`](./scripts/cache.sh): Build all `nixosConfiguration`s and push them to `attic`.
 
 Any `options.nix` files create custom option definitions when present.
 

flake.lock

@@ -5,17 +5,16 @@
         "astal": [
           "astal"
         ],
-        "gnim": "gnim",
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1752328525,
-        "narHash": "sha256-0aaVFLQxY1dKIS5jzwhbO847yIdr3U0o2heUzC5iat4=",
+        "lastModified": 1756487002,
+        "narHash": "sha256-hN9RfNXy53qAkT68T+IYZpl68uE1uPOVMkw0MqC43KA=",
         "owner": "aylur",
         "repo": "ags",
-        "rev": "2eb3ea54311b0f7ba9d333d661d12cda1ed5507e",
+        "rev": "8ff792dba6cc82eed10e760f551075564dd0a407",
         "type": "github"
       },
       "original": {
@@ -31,11 +30,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1752404970,
-        "narHash": "sha256-XULTToDUkIshNXEO+YP2mAHdQv8bxWDvKjbamBfOC8E=",
+        "lastModified": 1756474652,
+        "narHash": "sha256-iiBU6itpEqE0spXeNJ3uJTfioSyKYjt5bNepykpDXTE=",
         "owner": "aylur",
         "repo": "astal",
-        "rev": "2c5eb54f39e1710c6e2c80915a240978beb3269a",
+        "rev": "20bd8318e4136fbd3d4eb2d64dbabc3acbc915dd",
         "type": "github"
       },
       "original": {
@@ -44,6 +43,21 @@
         "type": "github"
       }
     },
+    "crane": {
+      "locked": {
+        "lastModified": 1754269165,
+        "narHash": "sha256-0tcS8FHd4QjbCVoxN9jI+PjHgA4vc/IjkUSp+N3zy0U=",
+        "owner": "ipetkov",
+        "repo": "crane",
+        "rev": "444e81206df3f7d92780680e45858e31d2f07a08",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ipetkov",
+        "repo": "crane",
+        "type": "github"
+      }
+    },
     "disko": {
       "inputs": {
         "nixpkgs": [
@@ -65,6 +79,20 @@
         "type": "github"
       }
     },
+    "flake-compat": {
+      "locked": {
+        "lastModified": 1733328505,
+        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "revCount": 69,
+        "type": "tarball",
+        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
+      }
+    },
     "flake-input-patcher": {
       "inputs": {
         "nixpkgs": [
@@ -90,17 +118,14 @@
     },
     "flake-parts": {
       "inputs": {
-        "nixpkgs-lib": [
-          "nur",
-          "nixpkgs"
-        ]
+        "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1733312601,
-        "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+        "lastModified": 1754487366,
+        "narHash": "sha256-pHYj8gUBapuUzKV/kN/tR3Zvqc7o6gdFB9XKXIp1SQ8=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+        "rev": "af66ad14b28a127c5c0f3bbb298218fc63528a18",
         "type": "github"
       },
       "original": {
@@ -129,19 +154,25 @@
         "type": "github"
       }
     },
-    "gnim": {
-      "flake": false,
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "pre-commit-hooks-nix",
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1751928958,
-        "narHash": "sha256-vQY2L+Hnp6F1MHFa3UbMft1goGw3iODI5M+96Z7P+9Q=",
-        "owner": "aylur",
-        "repo": "gnim",
-        "rev": "9bffa83f52f711b13e3c139454623a9aea4f5552",
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
         "type": "github"
       },
       "original": {
-        "owner": "aylur",
-        "repo": "gnim",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
         "type": "github"
       }
     },
@@ -152,11 +183,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753675338,
-        "narHash": "sha256-KDS9sr7dddH97lUXa7oxfRqphBlCA6JxZO4m/Z4W06I=",
+        "lastModified": 1756579987,
+        "narHash": "sha256-duCce8zGsaMsrqqOmLOsuaV1PVIw/vXWnKuLKZClsGg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e4b032ba5113664f0b8b23d956e59ce8e0bc349d",
+        "rev": "99a69bdf8a3c6bf038c4121e9c4b6e99706a187a",
         "type": "github"
       },
       "original": {
@@ -165,13 +196,104 @@
         "type": "github"
       }
     },
+    "lanzaboote": {
+      "inputs": {
+        "crane": "crane",
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "pre-commit-hooks-nix": "pre-commit-hooks-nix",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1754297745,
+        "narHash": "sha256-aD6/scLN3L4ZszmNbhhd3JQ9Pzv1ScYFphz14wHinfs=",
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "rev": "892cbdca865d6b42f9c0d222fe309f7720259855",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "lanzaboote",
+        "type": "github"
+      }
+    },
+    "lib": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "treefmt-nix": [
+          "treefmt-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1755506074,
+        "narHash": "sha256-SztuKbAPppW5grMJLSGO5rBCXEWCOfhb39cPDONEUfo=",
+        "ref": "refs/heads/main",
+        "rev": "ac85b6f608ed88d424621ec30f3848d621383487",
+        "revCount": 6,
+        "type": "git",
+        "url": "https://git.karaolidis.com/karaolidis/nix-lib.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.karaolidis.com/karaolidis/nix-lib.git"
+      }
+    },
+    "mnw": {
+      "locked": {
+        "lastModified": 1748710831,
+        "narHash": "sha256-eZu2yH3Y2eA9DD3naKWy/sTxYS5rPK2hO7vj8tvUCSU=",
+        "owner": "Gerg-L",
+        "repo": "mnw",
+        "rev": "cff958a4e050f8d917a6ff3a5624bc4681c6187d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Gerg-L",
+        "repo": "mnw",
+        "type": "github"
+      }
+    },
+    "nixos-wsl": {
+      "inputs": {
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1755774185,
+        "narHash": "sha256-XjKqiTA19mkoBkja0VOy90qp2gC1f2fGgsLb9m1lg5Q=",
+        "owner": "karaolidis",
+        "repo": "NixOS-WSL",
+        "rev": "b1f426697f62006b99fac0cc25a106626c78f874",
+        "type": "github"
+      },
+      "original": {
+        "owner": "karaolidis",
+        "ref": "extra-files",
+        "repo": "NixOS-WSL",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1753549186,
-        "narHash": "sha256-Znl7rzuxKg/Mdm6AhimcKynM7V3YeNDIcLjBuoBcmNs=",
+        "lastModified": 1756542300,
+        "narHash": "sha256-tlOn88coG5fzdyqz6R93SQL5Gpq+m/DsWpekNFhqPQk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "17f6bd177404d6d43017595c5264756764444ab8",
+        "rev": "d7600c775f877cd87b4f5a831c28aa94137377aa",
         "type": "github"
       },
       "original": {
@@ -181,19 +303,36 @@
         "type": "github"
       }
     },
+    "nixpkgs-lib": {
+      "locked": {
+        "lastModified": 1753579242,
+        "narHash": "sha256-zvaMGVn14/Zz8hnp4VWT9xVnhc8vuL3TStRqwk22biA=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "0f36c44e01a6129be94e3ade315a5883f0228a6e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
     "nur": {
       "inputs": {
-        "flake-parts": "flake-parts",
+        "flake-parts": [
+          "flake-parts"
+        ],
         "nixpkgs": [
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1753691404,
-        "narHash": "sha256-1sZg24xTL6k3ktFrOWOf0/bhYIYzND+cfsxb5VDRahU=",
+        "lastModified": 1756630008,
+        "narHash": "sha256-weZiVKbiWQzTifm6qCxzhxghEu5mbh9mWNUdkzOLCR0=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "e3fe68989cba00e16de704432a7a760fb1f7e573",
+        "rev": "f6a5a7b60dd6065e78ef06390767e689ffa3c23f",
         "type": "github"
       },
       "original": {
@@ -202,6 +341,36 @@
         "type": "github"
       }
     },
+    "nvf": {
+      "inputs": {
+        "flake-compat": [
+          "flake-compat"
+        ],
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "mnw": "mnw",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": [
+          "systems"
+        ]
+      },
+      "locked": {
+        "lastModified": 1755463179,
+        "narHash": "sha256-5Ggb1Mhf7ZlRgGi2puCa2PvWs6KbMnWBlW6KW7Vf79Y=",
+        "owner": "NotAShelf",
+        "repo": "nvf",
+        "rev": "03833118267ad32226b014b360692bdce9d6e082",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NotAShelf",
+        "repo": "nvf",
+        "type": "github"
+      }
+    },
     "nvidia-patch": {
       "inputs": {
         "nixpkgs": [
@@ -212,11 +381,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753078133,
-        "narHash": "sha256-z+cvobe/+6pSVmwVrI+/k4lt7CjsQtfhlMaAlLQcSPY=",
+        "lastModified": 1756052001,
+        "narHash": "sha256-dlLqyHxqiFAoIwshKe9X3PzXcJ+up88Qb2JVQswFaNE=",
         "owner": "icewind1991",
         "repo": "nvidia-patch-nixos",
-        "rev": "b5bb7576a5a951cea1a46703f488ac76fa827876",
+        "rev": "780af7357d942fad2ddd9f325615a5f6ea7e37ee",
         "type": "github"
       },
       "original": {
@@ -225,13 +394,39 @@
         "type": "github"
       }
     },
+    "pre-commit-hooks-nix": {
+      "inputs": {
+        "flake-compat": [
+          "lanzaboote",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1750779888,
+        "narHash": "sha256-wibppH3g/E2lxU43ZQHC5yA/7kIKLGxVEnsnVK1BtRg=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "16ec914f6fb6f599ce988427d9d94efddf25fe6d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
     "quadlet-nix": {
       "locked": {
-        "lastModified": 1753321053,
-        "narHash": "sha256-7d9eSy3qhzVut64dKzDriKo44LfXRCS5ykk4BAbNfVU=",
+        "lastModified": 1754008153,
+        "narHash": "sha256-MYT1mDtSkiVg343agxgBFsnuNU3xS8vRy399JXX1Vw0=",
         "owner": "SEIAROTg",
         "repo": "quadlet-nix",
-        "rev": "172f2a786615dccc153550832f0bf2f373d5d261",
+        "rev": "1b2d27d460d8c7e4da5ba44ede463b427160b5c4",
         "type": "github"
       },
       "original": {
@@ -245,13 +440,20 @@
         "ags": "ags",
         "astal": "astal",
         "disko": "disko",
+        "flake-compat": "flake-compat",
         "flake-input-patcher": "flake-input-patcher",
+        "flake-parts": "flake-parts",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
+        "lanzaboote": "lanzaboote",
+        "lib": "lib",
+        "nixos-wsl": "nixos-wsl",
         "nixpkgs": "nixpkgs",
         "nur": "nur",
+        "nvf": "nvf",
         "nvidia-patch": "nvidia-patch",
         "quadlet-nix": "quadlet-nix",
+        "sas": "sas",
         "secrets": "secrets",
         "sops-nix": "sops-nix",
         "spicetify-nix": "spicetify-nix",
@@ -259,20 +461,67 @@
         "treefmt-nix": "treefmt-nix"
       }
     },
-    "secrets": {
-      "flake": false,
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "lanzaboote",
+          "nixpkgs"
+        ]
+      },
       "locked": {
-        "lastModified": 1753458351,
-        "narHash": "sha256-wsZQkEA3YYouRu7wjepetS6rnwLEr00wMpIQsxbZNTU=",
+        "lastModified": 1754189623,
+        "narHash": "sha256-fstu5eb30UYwsxow0aQqkzxNxGn80UZjyehQVNVHuBk=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "c582ff7f0d8a7ea689ae836dfb1773f1814f472a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "sas": {
+      "inputs": {
+        "lib": [
+          "lib"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "treefmt-nix": [
+          "treefmt-nix"
+        ]
+      },
+      "locked": {
+        "lastModified": 1755532656,
+        "narHash": "sha256-xYb5dJej3emyr4oWWAhkMP8rPc3kdVOXGZcIbAx1Y/I=",
         "ref": "refs/heads/main",
-        "rev": "6ce176beb34bfe0ac65131564c1fa3f5d0aca1fe",
-        "revCount": 26,
+        "rev": "b01f3f8456903cb1bde9637cc23b456b47354138",
+        "revCount": 11,
         "type": "git",
-        "url": "https://git.karaolidis.com/karaolidis/nix-secrets.git"
+        "url": "ssh://git@karaolidis.com/karaolidis/nix-sas.git"
       },
       "original": {
         "type": "git",
-        "url": "https://git.karaolidis.com/karaolidis/nix-secrets.git"
+        "url": "ssh://git@karaolidis.com/karaolidis/nix-sas.git"
+      }
+    },
+    "secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1756900832,
+        "narHash": "sha256-sMne4dvYzcdbDVcMPY6NLVHiZbgjtDrxttKG0Vig8WQ=",
+        "ref": "refs/heads/main",
+        "rev": "adac63f6daffb4e14ce0fb94e93eb987e2460064",
+        "revCount": 38,
+        "type": "git",
+        "url": "ssh://git@karaolidis.com/karaolidis/nix-secrets.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://git@karaolidis.com/karaolidis/nix-secrets.git"
       }
     },
     "sops-nix": {
@@ -282,11 +531,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1752544651,
-        "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=",
+        "lastModified": 1754988908,
+        "narHash": "sha256-t+voe2961vCgrzPFtZxha0/kmFSHFobzF00sT8p9h0U=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "2c8def626f54708a9c38a5861866660395bb3461",
+        "rev": "3223c7a92724b5d804e9988c6b447a0d09017d48",
         "type": "github"
       },
       "original": {
@@ -305,11 +554,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753591727,
-        "narHash": "sha256-Ow+qyFckroPS4SQFHcFZ8mKh3HIQ2pQdC6DRjiYF9EE=",
+        "lastModified": 1756614537,
+        "narHash": "sha256-qyszmZO9CEKAlj5NBQo1AIIADm5Fgqs5ZggW1sU1TVo=",
         "owner": "Gerg-L",
         "repo": "spicetify-nix",
-        "rev": "26c488b60360e15db372483d826cec89ac532980",
+        "rev": "374eb5d97092b97f7aaafd58a2012943b388c0df",
         "type": "github"
       },
       "original": {
@@ -340,11 +589,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1753439394,
-        "narHash": "sha256-Bv9h1AJegLI8uAhiJ1sZ4XAndYxhgf38tMgCQwiEpmc=",
+        "lastModified": 1755934250,
+        "narHash": "sha256-CsDojnMgYsfshQw3t4zjRUkmMmUdZGthl16bXVWgRYU=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "2673921c03d6e75fdf4aa93e025772608d1482cf",
+        "rev": "74e1a52d5bd9430312f8d1b8b0354c92c17453e5",
         "type": "github"
       },
       "original": {

flake.nix

@@ -1,5 +1,6 @@
 {
   inputs = {
+    # Configuration
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
 
     home-manager = {
@@ -7,33 +8,21 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    disko = {
-      url = "github:nix-community/disko/latest";
-      inputs.nixpkgs.follows = "nixpkgs";
+    # Packages
+    nur = {
+      url = "github:nix-community/NUR";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-parts.follows = "flake-parts";
+      };
     };
 
+    # DevOps
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
-    secrets = {
-      url = "git+https://git.karaolidis.com/karaolidis/nix-secrets.git";
-      flake = false;
-    };
-
-    systems.url = "github:nix-systems/default";
-
-    nur = {
-      url = "github:nix-community/NUR";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    flake-utils = {
-      url = "github:numtide/flake-utils";
-      inputs.systems.follows = "systems";
-    };
-
     treefmt-nix = {
       url = "github:numtide/treefmt-nix";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -47,6 +36,66 @@
       };
     };
 
+    # Personal
+    lib = {
+      # FIXME: https://github.com/NixOS/nix/issues/12281
+      url = "git+https://git.karaolidis.com/karaolidis/nix-lib.git";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        treefmt-nix.follows = "treefmt-nix";
+      };
+    };
+
+    sas = {
+      # FIXME: https://github.com/NixOS/nix/issues/12281
+      url = "git+ssh://git@karaolidis.com/karaolidis/nix-sas.git";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        lib.follows = "lib";
+        treefmt-nix.follows = "treefmt-nix";
+      };
+    };
+
+    secrets = {
+      # FIXME: https://github.com/NixOS/nix/issues/12281
+      url = "git+ssh://git@karaolidis.com/karaolidis/nix-secrets.git";
+      flake = false;
+    };
+
+    # Hardware
+    disko = {
+      url = "github:nix-community/disko/latest";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    lanzaboote = {
+      url = "github:nix-community/lanzaboote";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-compat.follows = "flake-compat";
+        flake-parts.follows = "flake-parts";
+      };
+    };
+
+    nixos-wsl = {
+      url = "github:karaolidis/NixOS-WSL/extra-files";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-compat.follows = "flake-compat";
+      };
+    };
+
+    # Applications
+    nvf = {
+      url = "github:NotAShelf/nvf";
+      inputs = {
+        nixpkgs.follows = "nixpkgs";
+        flake-compat.follows = "flake-compat";
+        flake-parts.follows = "flake-parts";
+        systems.follows = "systems";
+      };
+    };
+
     quadlet-nix.url = "github:SEIAROTg/quadlet-nix";
 
     nvidia-patch = {
@@ -77,17 +126,30 @@
         systems.follows = "systems";
       };
     };
+
+    # Transitive Dependencies
+    systems.url = "github:nix-systems/default";
+
+    flake-parts.url = "github:hercules-ci/flake-parts";
+
+    flake-utils = {
+      url = "github:numtide/flake-utils";
+      inputs.systems.follows = "systems";
+    };
+
+    flake-compat.url = "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz";
   };
 
   outputs =
-    inputs:
+    unpatchedInputs:
     let
-      mkInputs =
+      patchInputs =
         system:
         let
-          patcher = inputs.flake-input-patcher.lib.${system};
+          patcher = unpatchedInputs.flake-input-patcher.lib.${system};
+          patches = import ./patches.nix { inherit patcher; };
         in
-        patcher.patch inputs (import ./patches.nix { inherit patcher; });
+        if patches != { } then patcher.patch unpatchedInputs patches else unpatchedInputs;
 
       mkNixosConfiguration =
         inputs: system: modules:
@@ -96,14 +158,21 @@
           specialArgs = { inherit inputs system; };
         };
     in
-    (
+    {
+      overlays.default = import ./overlays;
+    }
+    // (
       let
         system = "x86_64-linux";
-        inputs = mkInputs system;
+        inputs = patchInputs system;
 
         pkgs = import inputs.nixpkgs {
           inherit system;
           config.allowUnfree = true;
+          overlays = [
+            inputs.lib.overlays.default
+            inputs.self.overlays.default
+          ];
         };
 
         treefmt = inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
@@ -118,11 +187,9 @@
         };
 
         devShells.${system} = import ./hosts/common/shells { inherit pkgs; };
-        lib.${system} = import ./lib { inherit pkgs; };
-        packages.${system} = import ./packages { inherit pkgs inputs system; };
-
+        packages.${system} = import ./packages { inherit pkgs; };
         formatter.${system} = treefmt.config.build.wrapper;
-        checks.formatting.${system} = treefmt.config.build.check inputs.self;
+        checks.${system}.formatting = treefmt.config.build.check inputs.self;
       }
     );
 }

hosts/common/configs/system/cloudflared/default.nix

@@ -1,5 +0,0 @@
-{ ... }:
-{
-  # https://developers.cloudflare.com/cloudflare-one/connections/connect-networks/get-started/create-local-tunnel/
-  services.cloudflared.enable = true;
-}

hosts/common/configs/system/dnsmasq/default.nix

@@ -1,22 +0,0 @@
-{ lib, pkgs, ... }:
-{
-  networking.networkmanager.dns = "dnsmasq";
-
-  environment.etc."NetworkManager/dnsmasq.d/10-bind-interfaces.conf".source =
-    (pkgs.formats.keyValue {
-      mkKeyValue =
-        name: value:
-        if value == true then
-          name
-        else if value == false then
-          ""
-        else
-          lib.generators.mkKeyValueDefault { } "=" name value;
-      listsAsDuplicateKeys = true;
-    }).generate
-      "10-bind-interfaces.conf"
-      {
-        bind-interfaces = true;
-        listen-address = [ "127.0.0.1" ];
-      };
-}

hosts/common/configs/system/fail2ban/default.nix

@@ -0,0 +1,14 @@
+{ ... }:
+{
+  environment.persistence."/persist/state"."/var/lib/fail2ban" = { };
+
+  services.fail2ban = {
+    enable = true;
+    bantime = "24h";
+    bantime-increment = {
+      enable = true;
+      maxtime = "720h";
+      overalljails = true;
+    };
+  };
+}

hosts/common/configs/system/gpg-agent/default.nix

@@ -1,4 +0,0 @@
-{ ... }:
-{
-  programs.gnupg.agent.enable = true;
-}

hosts/common/configs/system/lanzaboote/default.nix

@@ -0,0 +1,22 @@
+{
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
+
+  environment = {
+    persistence."/persist/state"."/var/lib/sbctl" = { };
+
+    systemPackages = with pkgs; [ sbctl ];
+  };
+
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+
+  boot.lanzaboote = {
+    enable = true;
+    pkiBundle = "/var/lib/sbctl";
+  };
+}

hosts/common/configs/system/libvirt/default.nix

@@ -1,9 +1,4 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
+{ config, pkgs, ... }:
 {
   virtualisation = {
     libvirtd = {

hosts/common/configs/system/nix-install/install.completion.zsh

@@ -4,6 +4,7 @@ _nix-install_completion() {
     '-m[Mode: 'install' or 'repair']:mode:(install repair)'
     '-h[Host to configure]:host:($(_list_hosts))'
     '-k[Key file to copy to user config]:key:($(_list_keys))'
+    '-s[Enroll secure boot keys on current device]'
     '-c[Copy configuration to target]'
     '-r[Reboot after completion]'
   )
@@ -17,8 +18,8 @@ _nix-install_completion() {
 
   _list_keys() {
     local flake="$(realpath ${words[2]})"
-    if [[ -d "$flake/secrets" ]]; then
-      find "$flake/secrets" -type f -name 'key.txt' | sed -E 's|^.*/secrets/([^/]+)/key.txt$|\1|' | sort -u
+    if [[ -d "$flake/submodules/secrets/domains" ]]; then
+      find "$flake/submodules/secrets/domains" -type f -name 'key.txt' | sed -E 's|^.*/submodules/secrets/domains/([^/]+)/key.txt$|\1|' | sort -u
     fi
   }
 

hosts/common/configs/system/nix-install/install.sh

@@ -1,13 +1,14 @@
 # shellcheck shell=bash
 
 usage() {
-  echo "Usage: $0 flake -m install|repair -h host [-k key] [-p password_file] [-c] [-r]"
+  echo "Usage: $0 flake -m install|repair -h host [-k key] [-p password_file] [-s] [-c] [-r]"
   echo
   echo "Options:"
   echo "  flake               Directory containing the flake.nix file."
   echo "  -m mode             Mode: 'install' or 'repair'."
   echo "  -h host             Host to configure."
   echo "  -k key              Key file to copy to user config."
+  echo "  -s                  Enroll secure boot keys on current device."
   echo "  -c                  Copy configuration to target."
   echo "  -r                  Reboot after completion."
   exit 1
@@ -35,23 +36,24 @@ check_flake() {
 }
 
 check_host() {
-  if ! nix flake show --quiet --json "$flake" 2>/dev/null | jq -e ".nixosConfigurations[\"$host\"]" &>/dev/null; then
+  if ! nix flake show --allow-import-from-derivation --quiet --json "$flake" 2>/dev/null | jq -e ".nixosConfigurations[\"$host\"]" &>/dev/null; then
     echo "Host '$host' not found in flake."
     exit 1
   fi
 }
 
 check_key() {
-  if [[ -n "$key" ]] && [[ ! -f "$flake/secrets/$key/key.txt" ]]; then
+  if [[ -n "$key" ]] && [[ ! -f "$flake/submodules/secrets/domains/$key/key.txt" ]]; then
     echo "Key '$key' not found."
     exit 1
   fi
 }
 
 set_password_file() {
-  SOPS_AGE_KEY_FILE="$flake/secrets/$key/key.txt"
+  SOPS_AGE_KEY_FILE="$flake/submodules/secrets/domains/$key/key.txt"
   export SOPS_AGE_KEY_FILE
-  sops --decrypt --extract "['luks']" "$flake/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
+  install -m 600 /dev/null /tmp/keyfile
+  sops --decrypt --extract "['luks']" "$flake/submodules/secrets/hosts/$host/secrets.yaml" > /tmp/keyfile
   unset SOPS_AGE_KEY_FILE
 }
 
@@ -62,9 +64,9 @@ prepare_disk() {
   disko -m "$disko_mode" --yes-wipe-all-disks --root-mountpoint "$root" "$flake/hosts/$host/format.nix"
 }
 
-copy_keys() {
+copy_sops_keys() {
   mkdir -p "$root/persist/state/etc/ssh"
-  cp -f "$flake/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
+  cp -f "$flake/submodules/secrets/hosts/$host/ssh_host_ed25519_key" "$root/persist/state/etc/ssh/ssh_host_ed25519_key"
 
   for path in "$flake/hosts/$host/users"/*; do
     if [[ -z "$key" ]]; then
@@ -75,7 +77,7 @@ copy_keys() {
     user=$(basename "$path")
 
     mkdir -p "$root/persist/state/home/$user/.config/sops-nix"
-    cp -f "$flake/secrets/$key/key.txt" "$root/persist/state/home/$user/.config/sops-nix/key.txt"
+    cp -f "$flake/submodules/secrets/domains/$key/key.txt" "$root/persist/state/home/$user/.config/sops-nix/key.txt"
 
     owner=$(cat "$flake/hosts/$host/users/$user/uid")
     group=100
@@ -87,26 +89,46 @@ copy_keys() {
   done
 }
 
-install() {
+copy_secure_boot_keys() {
+  mkdir -p "$root/persist/state/var/lib/sbctl/keys"/{db,KEK,PK}
+
+  SOPS_AGE_KEY_FILE="$flake/submodules/secrets/domains/$key/key.txt"
+  export SOPS_AGE_KEY_FILE
+
+  sops --decrypt --extract "['guid']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/GUID"
+  sops --decrypt --extract "['keys']['kek']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.key"
+  sops --decrypt --extract "['keys']['kek']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/KEK/KEK.pem"
+  sops --decrypt --extract "['keys']['pk']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.key"
+  sops --decrypt --extract "['keys']['pk']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/PK/PK.pem"
+  sops --decrypt --extract "['keys']['db']['key']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.key"
+  sops --decrypt --extract "['keys']['db']['pem']" "$flake/submodules/secrets/domains/lanzaboote/secrets.yaml" > "$root/persist/state/var/lib/sbctl/keys/db/db.pem"
+
+  chmod 400 "$root/persist/state/var/lib/sbctl/keys"/*/*
+
+  unset SOPS_AGE_KEY_FILE
+
+  mkdir -p "$root/var/lib/sbctl"
+  mount --bind -o X-fstrim.notrim,x-gvfs-hide "$root/persist/state/var/lib/sbctl" "$root/var/lib/sbctl"
+}
+
+install_nixos() {
   nixos-install --root "$root" --flake "$flake#$host" --no-root-passwd
 }
 
+enroll_secure_boot() {
+  sbctl enroll-keys --microsoft
+}
+
 copy_config() {
   echo "Copying configuration..."
-  mkdir -p "$root/persist/user/etc/nixos"
+  mkdir -p "$root/persist/user/etc"
   rm -rf "$root/persist/user/etc/nixos"
   cp -r "$flake" "$root/persist/user/etc/nixos"
 }
 
-finish() {
-  echo "Rebooting system..."
-  trap - EXIT
-  cleanup
-  reboot
-}
-
 cleanup() {
   rm -f /tmp/keyfile
+  if [[ -d "$root" ]]; then umount "$root/var/lib/sbctl"; fi
   if [[ -n "$host" ]]; then disko -m "unmount" "$flake/hosts/$host/format.nix"; fi
   if [[ -d "$root" ]]; then rmdir "$root"; fi
 }
@@ -124,14 +146,16 @@ main() {
   mode=""
   host=""
   key=""
+  enroll_secure_boot_flag="false"
   copy_config_flag="false"
   reboot_flag="false"
 
-  while getopts "m:h:k:cr" opt; do
+  while getopts "m:h:k:scr" opt; do
     case "$opt" in
       m) mode="$OPTARG" ;;
       h) host="$OPTARG" ;;
       k) key="$OPTARG" ;;
+      s) enroll_secure_boot_flag="true" ;;
       c) copy_config_flag="true" ;;
       r) reboot_flag="true" ;;
       *) usage ;;
@@ -153,10 +177,17 @@ main() {
       ;;
   esac
 
-  copy_keys
-  install
+  copy_sops_keys
+  copy_secure_boot_keys
+
+  install_nixos
+
+  [[ "$enroll_secure_boot_flag" == "true" ]] && enroll_secure_boot
   [[ "$copy_config_flag" == "true" ]] && copy_config
-  [[ "$reboot_flag" == "true" ]] && finish
+
+  cleanup
+
+  [[ "$reboot_flag" == "true" ]] && reboot
 }
 
 main "$@"

hosts/common/configs/system/nix-update/default.nix

@@ -1,12 +1,4 @@
 { pkgs, ... }:
 {
-  nixpkgs.overlays = [
-    (final: prev: {
-      nix-update = prev.nix-update.overrideAttrs (oldAttrs: {
-        patches = oldAttrs.patches or [ ] ++ [ ./source-attribute.patch ];
-      });
-    })
-  ];
-
   environment.systemPackages = with pkgs; [ nix-update ];
 }

hosts/common/configs/system/nix-update/source-attribute.patch

@@ -1,127 +0,0 @@
-diff --git a/nix_update/__init__.py b/nix_update/__init__.py
-index 89bbe45..93f9322 100644
---- a/nix_update/__init__.py
-+++ b/nix_update/__init__.py
-@@ -124,6 +124,12 @@ def parse_args(args: list[str]) -> Options:
-         default=[],
-     )
- 
-+    parser.add_argument(
-+        "--src-attr",
-+        help="Src attribute",
-+        default="src",
-+    )
-+
-     a = parser.parse_args(args)
-     extra_flags = ["--extra-experimental-features", "flakes nix-command"]
-     if a.system:
-@@ -146,6 +152,7 @@ def parse_args(args: list[str]) -> Options:
-         version=a.version,
-         version_preference=VersionPreference.from_str(a.version),
-         attribute=a.attribute,
-+        source_attribute=a.src_attr,
-         test=a.test,
-         version_regex=a.version_regex,
-         review=a.review,
-diff --git a/nix_update/eval.py b/nix_update/eval.py
-index 1767056..f85ea69 100644
---- a/nix_update/eval.py
-+++ b/nix_update/eval.py
-@@ -105,12 +105,19 @@ class Package:
- def eval_expression(
-     escaped_import_path: str,
-     attr: str,
-+    source_attr: str,
-     flake: bool,
-     system: str | None,
-     override_filename: str | None,
- ) -> str:
-     system = f'"{system}"' if system else "builtins.currentSystem"
- 
-+    source_attrs = source_attr.rpartition(".")
-+    source_attr_last = source_attrs[-1] or source_attr
-+    source_attr_all_but_last = (
-+        f".{source_attrs[0]}" if source_attr_last != source_attr else ""
-+    )
-+
-     if flake:
-         sanitize_position = (
-             f"""
-@@ -164,8 +171,8 @@ let
-     raw_version_position
-   else if pkg ? isPhpExtension then
-     raw_version_position
--  else if (builtins.unsafeGetAttrPos "src" pkg) != null then
--    sanitizePosition (builtins.unsafeGetAttrPos "src" pkg)
-+  else if (builtins.unsafeGetAttrPos "{source_attr_last}" pkg) != null then
-+    sanitizePosition (builtins.unsafeGetAttrPos "{source_attr_last}" pkg{source_attr_all_but_last})
-   else
-     sanitizePosition (positionFromMeta pkg);
- in {{
-@@ -174,11 +181,11 @@ in {{
-   inherit raw_version_position;
-   filename = position.file;
-   line = position.line;
--  urls = pkg.src.urls or null;
--  url = pkg.src.url or null;
--  rev = pkg.src.rev or null;
--  tag = pkg.src.tag or null;
--  hash = pkg.src.outputHash or null;
-+  urls = pkg.{source_attr}.urls or null;
-+  url = pkg.{source_attr}.url or null;
-+  rev = pkg.{source_attr}.rev or null;
-+  tag = pkg.{source_attr}.tag or null;
-+  hash = pkg.{source_attr}.outputHash or null;
-   go_modules = pkg.goModules.outputHash or null;
-   go_modules_old = pkg.go-modules.outputHash or null;
-   cargo_deps = pkg.cargoDeps.outputHash or null;
-@@ -205,7 +212,7 @@ in {{
-   mix_deps = pkg.mixFodDeps.outputHash or null;
-   tests = builtins.attrNames (pkg.passthru.tests or {{}});
-   has_update_script = {has_update_script};
--  src_homepage = pkg.src.meta.homepage or null;
-+  src_homepage = pkg.{source_attr}.meta.homepage or null;
-   changelog = pkg.meta.changelog or null;
-   maintainers = pkg.meta.maintainers or null;
- }}"""
-@@ -215,6 +222,7 @@ def eval_attr(opts: Options) -> Package:
-     expr = eval_expression(
-         opts.escaped_import_path,
-         opts.escaped_attribute,
-+        opts.source_attribute,
-         opts.flake,
-         opts.system,
-         opts.override_filename,
-diff --git a/nix_update/options.py b/nix_update/options.py
-index 2d07b77..ab5c305 100644
---- a/nix_update/options.py
-+++ b/nix_update/options.py
-@@ -8,6 +8,7 @@ from .version.version import VersionPreference
- @dataclass
- class Options:
-     attribute: str
-+    source_attribute: str = "src"
-     flake: bool = False
-     version: str = "stable"
-     version_preference: VersionPreference = VersionPreference.STABLE
-@@ -33,4 +34,7 @@ class Options:
- 
-     def __post_init__(self) -> None:
-         self.escaped_attribute = ".".join(map(json.dumps, self.attribute.split(".")))
-+        self.escaped_source_attribute = ".".join(
-+            map(json.dumps, self.source_attribute.split("."))
-+        )
-         self.escaped_import_path = json.dumps(self.import_path)
-diff --git a/nix_update/update.py b/nix_update/update.py
-index 82b7bc5..464bf3d 100644
---- a/nix_update/update.py
-+++ b/nix_update/update.py
-@@ -155,7 +155,7 @@ def git_prefetch(x: tuple[str, tuple[str, str]]) -> tuple[str, str]:
- 
- 
- def update_src_hash(opts: Options, filename: str, current_hash: str) -> None:
--    target_hash = nix_prefetch(opts, "src")
-+    target_hash = nix_prefetch(opts, opts.source_attribute)
-     replace_hash(filename, current_hash, target_hash)
- 
- 

hosts/common/configs/system/nix/default.nix

@@ -1,27 +1,51 @@
-{ config, inputs, ... }:
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
 {
   sops = {
     secrets = {
-      "git/credentials/github.com/public/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
-      "git/credentials/github.com/public/password".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+      "git/credentials/github.com/tokens/public".sopsFile =
+        "${inputs.secrets}/domains/personal/secrets.yaml";
+
+      "nix/cache/nix.karaolidis.com".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
     };
 
-    templates.nix-access-tokens = {
-      content = ''
-        access-tokens = github.com=${config.sops.placeholder."git/credentials/github.com/public/password"}
-      '';
-      group = "users";
+    templates = {
+      nix-access-tokens = {
+        content = ''
+          access-tokens = github.com=${config.sops.placeholder."git/credentials/github.com/tokens/public"}
+        '';
+        group = "users";
+        mode = "0440";
+      };
+
+      nix-netrc = {
+        content = ''
+          machine nix.karaolidis.com
+          password ${config.sops.placeholder."nix/cache/nix.karaolidis.com"}
+        '';
+        group = "users";
+        mode = "0440";
+      };
     };
   };
 
   nix = {
     settings = {
+      trusted-users = lib.mkAfter [ "@wheel" ];
       use-xdg-base-directories = true;
       experimental-features = [
         "nix-command"
         "flakes"
       ];
       download-buffer-size = 524288000;
+      substituters = lib.mkBefore [ "https://nix.karaolidis.com/main" ];
+      trusted-substituters = config.nix.settings.substituters;
+      trusted-public-keys = lib.mkBefore [ "main:nJVRBnv73MDkwuV5sgm52m4E2ImOhWHvY12qzjPegAk=" ];
+      netrc-file = config.sops.templates.nix-netrc.path;
     };
 
     channel.enable = false;

hosts/common/configs/system/nixpkgs/default.nix

@@ -1,7 +1,5 @@
-{ inputs, system, ... }:
+{ system, ... }:
 {
-  imports = [ inputs.nur.modules.nixos.default ];
-
   nixpkgs = {
     hostPlatform = system;
     config.allowUnfree = true;

hosts/common/configs/system/podman/default.nix

@@ -2,20 +2,6 @@
 {
   imports = [ inputs.quadlet-nix.nixosModules.quadlet ];
 
-  # FIXME: https://github.com/containers/crun/pull/1807
-  nixpkgs.overlays = [
-    (final: prev: {
-      crun = prev.crun.overrideAttrs (oldAttrs: {
-        patches = oldAttrs.patches or [ ] ++ [
-          (builtins.fetchurl {
-            url = "https://patch-diff.githubusercontent.com/raw/containers/crun/pull/1807.patch";
-            sha256 = "sha256:13ax2scvd27s341wy0b9gpfyn47gjvg9fvbl8al3905dblqhdlr0";
-          })
-        ];
-      });
-    })
-  ];
-
   virtualisation = {
     podman.enable = true;
 

hosts/common/configs/system/ssh-agent/default.nix

@@ -1,4 +0,0 @@
-{ ... }:
-{
-  programs.ssh.startAgent = true;
-}

hosts/common/configs/system/ssh/default.nix

@@ -12,7 +12,7 @@
 
     jupiter-sish = {
       publicKeyFile = "${inputs.secrets}/hosts/jupiter/ssh_sish_ed25519_key.pub";
-      extraHostNames = [ "karaolidis.com" ];
+      extraHostNames = [ "tunnel.karaolidis.com" ];
     };
 
     jupiter-vps = {

hosts/common/configs/system/sshd/default.nix

@@ -1,31 +1,12 @@
 { pkgs, ... }:
 {
-  environment = {
-    systemPackages = with pkgs; [
-      kitty.terminfo
-      tmux.terminfo
-    ];
+  environment.systemPackages = with pkgs; [ kitty.terminfo ];
 
-    persistence."/persist/state"."/var/lib/fail2ban" = { };
-  };
-
-  services = {
-    openssh = {
-      enable = true;
-      settings = {
-        PasswordAuthentication = false;
-        PrintMotd = false;
-      };
-    };
-
-    fail2ban = {
-      enable = true;
-      bantime = "24h";
-      bantime-increment = {
-        enable = true;
-        maxtime = "720h";
-        overalljails = true;
-      };
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      PrintMotd = false;
     };
   };
 }

hosts/common/configs/system/tmux/default.nix

@@ -1,10 +0,0 @@
-{ ... }:
-{
-  programs.tmux = {
-    enable = true;
-    clock24 = true;
-    historyLimit = 10000;
-    keyMode = "vi";
-    newSession = true;
-  };
-}

hosts/common/configs/user/console/android/default.nix

@@ -1,14 +1,6 @@
 { user, home }:
 { config, pkgs, ... }:
 {
-  nixpkgs.overlays = [
-    (final: prev: {
-      android-tools = prev.android-tools.overrideAttrs (oldAttrs: {
-        patches = oldAttrs.patches or [ ] ++ [ ./env-var-user-home.patch ];
-      });
-    })
-  ];
-
   programs.adb.enable = true;
   services.gvfs.enable = true;
 

hosts/common/configs/user/console/attic/default.nix

@@ -0,0 +1,33 @@
+{ user, home }:
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
+let
+  hmConfig = config.home-manager.users.${user};
+in
+{
+  home-manager.users.${user} = {
+    sops = {
+      secrets."nix/cache/nix.karaolidis.com".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+      templates."attic" = {
+        content = builtins.readFile (
+          (pkgs.formats.toml { }).generate "config.toml" {
+            default-server = "main";
+
+            servers."main" = {
+              endpoint = "https://nix.karaolidis.com/";
+              token = hmConfig.sops.placeholder."nix/cache/nix.karaolidis.com";
+            };
+          }
+        );
+        path = "${home}/.config/attic/config.toml";
+      };
+    };
+
+    home.packages = with pkgs; [ attic-client ];
+  };
+}

hosts/common/configs/user/console/btop/default.nix

@@ -1,17 +1,34 @@
 { user, home }:
-{ ... }:
+{ lib, pkgs, ... }:
 {
-  home-manager.users.${user}.programs.btop = {
-    enable = true;
-    settings = {
-      theme_background = false;
-      presets = "";
-      vim_keys = true;
-      shown_boxes = "cpu mem net proc gpu0 gpu1";
-      update_ms = 1000;
-      proc_tree = true;
-      cpu_single_graph = true;
-      disks_filter = "/ /nix /persist";
+  home-manager.users.${user} = {
+    programs.btop = {
+      enable = true;
+      settings = {
+        color_theme = "matugen";
+        theme_background = false;
+        presets = "";
+        vim_keys = true;
+        shown_boxes = "cpu mem net proc gpu0 gpu1";
+        update_ms = 1000;
+        proc_tree = true;
+        cpu_single_graph = true;
+        disks_filter = "/ /nix /persist";
+      };
+    };
+
+    theme = {
+      template.".config/btop/themes/matugen.theme".source = ./theme.theme;
+
+      reloadExtraConfig = "${
+        lib.meta.getExe (
+          pkgs.writeShellApplication {
+            name = "reload-btop";
+            runtimeInputs = with pkgs; [ procps ];
+            text = "exec pkill btop -SIGUSR2";
+          }
+        )
+      } &";
     };
   };
 }

hosts/common/configs/user/console/git/default.nix

@@ -41,5 +41,41 @@ in
         );
       };
     };
+
+    home = {
+      packages = with pkgs; [
+        (pkgs.writeShellApplication {
+          name = "gh";
+          runtimeInputs = with pkgs; [ gh ];
+          text = builtins.readFile ./gh.sh;
+        })
+        (pkgs.writeShellApplication {
+          name = "glab";
+          runtimeInputs = with pkgs; [ glab ];
+          text = builtins.readFile ./glab.sh;
+        })
+        (pkgs.writeShellApplication {
+          name = "tea";
+          runtimeInputs = with pkgs; [ tea ];
+          text = builtins.readFile ./tea.sh;
+        })
+      ];
+
+      sessionVariables = {
+        GITEA_HOST = "git.karaolidis.com";
+        GITEA_SSH_HOST = "karaolidis.com";
+      };
+    };
+
+    xdg.configFile = {
+      "gh/config.yml".source = (pkgs.formats.yaml { }).generate "config.yml" {
+        version = 1;
+        git_protocol = "ssh";
+      };
+
+      "glab-cli/config.yml".source = (pkgs.formats.yaml { }).generate "config.yml" {
+        git_protocol = "ssh";
+      };
+    };
   };
 }

hosts/common/configs/user/console/git/gh.sh

@@ -0,0 +1,8 @@
+# shellcheck shell=bash
+
+GH_HOST="${GH_HOST:-github.com}"
+
+GH_TOKEN=$(sed -n "s#https://[^:]*:\([^@]*\)@${GH_HOST}#\1#p" "$HOME/.config/git/credentials")
+export GH_TOKEN
+
+exec gh "$@"

hosts/common/configs/user/console/git/glab.sh

@@ -0,0 +1,8 @@
+# shellcheck shell=bash
+
+GITLAB_HOST="${GITLAB_HOST:-gitlab.com}"
+
+GITLAB_TOKEN=$(sed -n "s#https://[^:]*:\([^@]*\)@${GITLAB_HOST}#\1#p" "$HOME/.config/git/credentials")
+export GITLAB_TOKEN
+
+exec glab "$@"

hosts/common/configs/user/console/git/tea.sh

@@ -0,0 +1,13 @@
+# shellcheck shell=bash
+
+GITEA_HOST="${GITEA_HOST:-gitea.com}"
+GITEA_SSH_HOST="${GITEA_SSH_HOST:-gitea.com}"
+
+GITEA_TOKEN=$(sed -n "s#https://[^:]*:\([^@]*\)@${GITEA_HOST}#\1#p" "$HOME/.config/git/credentials")
+GITEA_INSTANCE_URL="https://${GITEA_HOST}"
+GITEA_INSTANCE_SSH_HOST="$GITEA_SSH_HOST"
+export GITEA_TOKEN
+export GITEA_INSTANCE_URL
+export GITEA_INSTANCE_SSH_HOST
+
+exec tea "$@"

hosts/common/configs/user/console/gpg-agent/default.nix

@@ -20,6 +20,10 @@
       enable = true;
       defaultCacheTtl = 31536000;
       maxCacheTtl = 31536000;
+      pinentry = {
+        package = pkgs.pinentry-all;
+        program = "pinentry-tty";
+      };
     };
 
     systemd.user = {

hosts/common/configs/user/console/home-manager/default.nix

@@ -1,5 +1,10 @@
 { user, home }:
-{ config, inputs, ... }:
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
 {
   imports = [ inputs.home-manager.nixosModules.default ];
 
@@ -15,10 +20,17 @@
       home.stateVersion = "24.11";
       systemd.user.startServices = true;
 
-      nix.settings.experimental-features = [
-        "nix-command"
-        "flakes"
-      ];
+      nix.settings = {
+        inherit (config.nix.settings)
+          use-xdg-base-directories
+          experimental-features
+          download-buffer-size
+          substituters
+          trusted-substituters
+          trusted-public-keys
+          netrc-file
+          ;
+      };
     };
   };
 }

hosts/common/configs/user/console/neovim/default.nix

@@ -1,22 +1,299 @@
 { user, home }:
-{ ... }:
 {
-  home-manager.users.${user}.programs = {
-    neovim = {
-      enable = true;
-      defaultEditor = true;
-      viAlias = true;
-      vimAlias = true;
-      vimdiffAlias = true;
-      extraConfig = ''
-        set tabstop=2
-        set shiftwidth=2
-        set expandtab
-        set smartindent
-        set mouse=
-      '';
-    };
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  environment.persistence = {
+    "/persist/state"."${home}/.local/share/nvf" = { };
+    "/persist/cache"."${home}/.cache/nvf" = { };
+  };
 
-    zsh.p10k.extraRightPromptElements = [ "vim_shell" ];
+  home-manager.users.${user} = {
+    imports = [ inputs.nvf.homeManagerModules.default ];
+
+    programs = {
+      nvf = {
+        enable = true;
+        defaultEditor = true;
+
+        settings = {
+          vim = {
+            enableLuaLoader = true;
+
+            viAlias = true;
+            vimAlias = true;
+
+            autocomplete = {
+              blink-cmp.enable = true;
+            };
+
+            binds = {
+              # hardtime-nvim.enable = true;
+              whichKey.enable = true;
+            };
+
+            clipboard = {
+              enable = true;
+              providers.wl-copy.enable = true;
+              registers = "unnamedplus";
+            };
+
+            comments = {
+              comment-nvim.enable = true;
+            };
+
+            # dashboard = {
+            #   alpha.enable = true;
+            # };
+
+            filetree = {
+              neo-tree = {
+                enable = true;
+                setupOpts = {
+                  git_status_async = true;
+
+                  window.mappings = lib.generators.mkLuaInline ''
+                    {
+                      ["<space>"] = "noop",
+                    }
+                  '';
+                };
+              };
+            };
+
+            # formatter = {
+            #   conform-nvim.enable = true;
+            # };
+
+            git = {
+              enable = true;
+              # git-conflict.enable = true;
+              gitsigns.enable = true;
+              # neogit.enable = true;
+            };
+
+            languages = {
+              enableDAP = true;
+              enableFormat = true;
+              enableTreesitter = true;
+              enableExtraDiagnostics = true;
+
+              assembly.enable = true;
+              bash.enable = true;
+              clang.enable = true;
+              csharp.enable = true;
+              css.enable = true;
+              go.enable = true;
+              html.enable = true;
+              java.enable = true;
+              lua.enable = true;
+              markdown.enable = true;
+              nix = {
+                enable = true;
+                format.type = "nixfmt";
+                lsp.options.nil = {
+                  nix = {
+                    maxMemoryMB = null;
+                    flake = {
+                      autoArchive = true;
+                      autoEvalInputs = true;
+                    };
+                  };
+                };
+              };
+              php.enable = true;
+              python.enable = true;
+              rust.enable = true;
+              sql.enable = true;
+              svelte.enable = true;
+              ts.enable = true;
+              yaml.enable = true;
+            };
+
+            lsp = {
+              enable = true;
+              formatOnSave = true;
+              # nvim-docs-view.enable = true;
+              # otter-nvim.enable = true;
+              # trouble.enable = true;
+            };
+
+            # minimap = {
+            #   codewindow.enable = true;
+            # };
+
+            notify = {
+              nvim-notify.enable = true;
+            };
+
+            options = {
+              tabstop = 2;
+              shiftwidth = 2;
+              expandtab = true;
+              smartindent = true;
+            };
+
+            # projects = {
+            #   project-nvim.enable = true;
+            # };
+
+            searchCase = "smart";
+
+            # snippets = {
+            #   luasnip.enable = true;
+            # };
+
+            tabline = {
+              nvimBufferline = {
+                enable = true;
+                mappings.closeCurrent = "<leader>bd";
+                setupOpts.options = {
+                  indicator.style = "icon";
+                  show_close_icon = false;
+                  show_buffer_close_icons = false;
+                };
+              };
+            };
+
+            telescope = {
+              enable = true;
+              setupOpts.defaults.file_ignore_patterns = [
+                "node_modules"
+                "%.venv/"
+                "%.git/"
+                "dist/"
+                "build/"
+                "target/"
+                "result/"
+              ];
+            };
+
+            terminal = {
+              toggleterm = {
+                enable = true;
+                setupOpts.winbar.enabled = false;
+              };
+            };
+
+            treesitter = {
+              enable = true;
+              context.enable = true;
+              fold = true;
+              textobjects.enable = true;
+            };
+
+            ui = {
+              # breadcrumbs = {
+              #   enable = true;
+              #   navbuddy.enable = true;
+              # };
+              colorizer.enable = true;
+              # fastaction.enable = true;
+              # illuminate.enable = true;
+            };
+
+            undoFile.enable = true;
+
+            utility = {
+              # diffview-nvim.enable = true;
+              # icon-picker.enable = true;
+              # images = {
+              #   img-clip.enable = true;
+              # };
+              # mkdir.enable = true;
+              motion = {
+                precognition.enable = true;
+              };
+              # nvim-biscuits.enable = true;
+              # smart-splits.enable = true;
+              surround.enable = true;
+              # undotree.enable = true;
+              # yazi-nvim.enable = true;
+            };
+
+            visuals = {
+              # cinnamon-nvim.enable = true;
+              # fidget-nvim.enable = true;
+              # highlight-undo.enable = true;
+              indent-blankline.enable = true;
+              nvim-cursorline.enable = true;
+              # nvim-scrollbar.enable = true;
+              nvim-web-devicons.enable = true;
+            };
+
+            keymaps = [
+              {
+                mode = [ "n" ];
+                key = "<C-b>";
+                action = "<C-b>zz";
+                silent = true;
+                noremap = true;
+                desc = "Page up and center";
+              }
+              {
+                mode = [ "n" ];
+                key = "<C-u>";
+                action = "<C-u>zz";
+                silent = true;
+                noremap = true;
+                desc = "Half-page up and center";
+              }
+              {
+                mode = [ "n" ];
+                key = "<C-d>";
+                action = "<C-d>zz";
+                silent = true;
+                noremap = true;
+                desc = "Half-page down and center";
+              }
+              {
+                mode = [ "n" ];
+                key = "<C-f>";
+                action = "<C-f>zz";
+                silent = true;
+                noremap = true;
+                desc = "Page down and center";
+              }
+              {
+                mode = [ "n" ];
+                key = "<leader>ww";
+                action = "<cmd>w<CR>";
+                silent = true;
+                desc = "Save";
+              }
+              {
+                mode = [ "n" ];
+                key = "<leader>wq";
+                action = "<cmd>wq<CR>";
+                silent = true;
+                desc = "Save & Quit";
+              }
+              {
+                mode = [ "n" ];
+                key = "<leader>ee";
+                action = "<cmd>Neotree toggle<CR>";
+                silent = true;
+                desc = "Toggle Neo-tree";
+              }
+              {
+                mode = [ "n" ];
+                key = "<leader>ef";
+                action = "<cmd>Neotree reveal<CR>";
+                silent = true;
+                desc = "Reveal file in Neo-tree";
+              }
+            ];
+          };
+        };
+      };
+
+      zsh = {
+        p10k.extraRightPromptElements = [ "vim_shell" ];
+        shellAliases.v = "nvim";
+      };
+    };
   };
 }

hosts/common/configs/user/console/nix-develop/template.nix

@@ -1,42 +1,31 @@
 {
   inputs = {
-    nixpkgs = {
-      type = "github";
-      owner = "karaolidis";
-      repo = "nixpkgs";
-      ref = "integration";
-    };
-
-    flake-utils = {
-      type = "github";
-      owner = "numtide";
-      repo = "flake-utils";
-      ref = "main";
-    };
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
 
     treefmt-nix = {
-      type = "github";
-      owner = "numtide";
-      repo = "treefmt-nix";
-      ref = "main";
-
+      url = "github:numtide/treefmt-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
 
   outputs =
-    { self, nixpkgs, ... }@inputs:
-    inputs.flake-utils.lib.eachDefaultSystem (
-      system:
+    inputs:
+    (
       let
-        pkgs = nixpkgs.legacyPackages.${system};
+        system = "x86_64-linux";
+
+        pkgs = import inputs.nixpkgs {
+          inherit system;
+          config.allowUnfree = true;
+        };
+
         treefmt = inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix;
       in
       {
-        devShells.default = pkgs.mkShell { packages = with pkgs; [ ]; };
+        devShells.${system}.default = pkgs.mkShell { packages = with pkgs; [ ]; };
 
-        formatter = treefmt.config.build.wrapper;
-        checks.formatting = treefmt.config.build.check self;
+        formatter.${system} = treefmt.config.build.wrapper;
+        checks.formatting.${system} = treefmt.config.build.check inputs.self;
       }
     );
 }

hosts/common/configs/user/console/nix-develop/treefmt.nix

@@ -9,9 +9,5 @@
     };
   };
 
-  settings = {
-    global = {
-      excludes = [ ".envrc" ];
-    };
-  };
+  settings.global.excludes = [ ".envrc" ];
 }

hosts/common/configs/user/console/sops/default.nix

@@ -3,12 +3,18 @@
 {
   environment.persistence."/persist/state"."${home}/.config/sops-nix/key.txt" = { };
 
-  home-manager.users.${user} = {
-    imports = [ inputs.sops-nix.homeManagerModules.sops ];
+  home-manager.users.${user} =
+    let
+      sopsKeyFile =
+        if config.environment.impermanence.enable then
+          config.environment.persistence."/persist/state"."${home}/.config/sops-nix/key.txt".source
+        else
+          "${home}/.config/sops-nix/key.txt";
+    in
+    {
+      imports = [ inputs.sops-nix.homeManagerModules.sops ];
 
-    sops.age.keyFile =
-      config.environment.persistence."/persist/state"."${home}/.config/sops-nix/key.txt".source;
-    home.sessionVariables.SOPS_AGE_KEY_FILE =
-      config.environment.persistence."/persist/state"."${home}/.config/sops-nix/key.txt".source;
-  };
+      sops.age.keyFile = sopsKeyFile;
+      home.sessionVariables.SOPS_AGE_KEY_FILE = sopsKeyFile;
+    };
 }

hosts/common/configs/user/console/ssh-agent/default.nix

@@ -3,6 +3,6 @@
 {
   home-manager.users.${user} = {
     services.ssh-agent.enable = true;
-    programs.ssh.addKeysToAgent = "yes";
+    programs.ssh.matchBlocks."*".addKeysToAgent = "yes";
   };
 }

hosts/common/configs/user/console/ssh/default.nix

@@ -1,5 +1,9 @@
 { user, home }:
 { ... }:
 {
-  home-manager.users.${user}.programs.ssh.enable = true;
+  home-manager.users.${user}.programs.ssh = {
+    enable = true;
+    enableDefaultConfig = false;
+    matchBlocks."*".identitiesOnly = true;
+  };
 }

hosts/common/configs/user/console/syncthing/default.nix

@@ -14,11 +14,13 @@
     "syncthing/key" = {
       owner = user;
       group = "users";
+      mode = "0440";
     };
     # openssl req -new -x509 -key key.pem -out cert.pem -days 9999 -subj "/CN=syncthing"
     "syncthing/cert" = {
       owner = user;
       group = "users";
+      mode = "0440";
     };
   };
 

hosts/common/configs/user/console/tmux/default.nix

@@ -1,5 +0,0 @@
-{ user, home }:
-{ ... }:
-{
-  home-manager.users.${user}.programs.tmux.enable = true;
-}

hosts/common/configs/user/console/yazi/default.nix

@@ -3,13 +3,10 @@
   config,
   lib,
   pkgs,
-  inputs,
-  system,
   ...
 }:
 let
   hmConfig = config.home-manager.users.${user};
-  selfPkgs = inputs.self.packages.${system};
 in
 {
   home-manager.users.${user} = {
@@ -26,7 +23,7 @@ in
           opener = {
             edit = [
               {
-                run = "${hmConfig.programs.neovim.finalPackage}/bin/nvim \"$@\"";
+                run = "${hmConfig.programs.nvf.finalPackage}/bin/nvim \"$@\"";
                 desc = "nvim";
                 block = true;
               }
@@ -187,9 +184,8 @@ in
             ouch
             mount
             mediainfo
+            custom-shell
             ;
-
-          custom-shell = selfPkgs.yazi-plugin-custom-shell;
         };
       };
 

hosts/common/configs/user/console/zellij/default.nix

@@ -0,0 +1,26 @@
+{ user, home }:
+{ ... }:
+{
+  home-manager.users.${user} = {
+    programs.zellij = {
+      enable = true;
+
+      settings = {
+        theme = "matugen";
+
+        pane_frames = false;
+        copy_command = "wl-copy";
+
+        ui.pane_frames.hide_session_name = true;
+
+        pane_viewport_serialization = true;
+        scrollback_lines_to_serialize = 0;
+
+        show_startup_tips = false;
+        show_release_notes = false;
+      };
+    };
+
+    theme.template.".config/zellij/themes/matugen.kdl".source = ./theme.kdl;
+  };
+}

hosts/common/configs/user/console/zellij/theme.kdl

@@ -0,0 +1,128 @@
+themes {
+    matugen {
+        text_unselected {
+            base {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_1 {{colors.secondary.default.red}} {{colors.secondary.default.green}} {{colors.secondary.default.blue}}
+            emphasis_2 {{colors.tertiary.default.red}} {{colors.tertiary.default.green}} {{colors.tertiary.default.blue}}
+            emphasis_3 {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+        }
+        text_selected {
+            base {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            background {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_0 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_1 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_2 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_3 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+        }
+        ribbon_unselected {
+            base {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+            background {{colors.surface_container.default.red}} {{colors.surface_container.default.green}} {{colors.surface_container.default.blue}}
+            emphasis_0 {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_1 {{colors.secondary.default.red}} {{colors.secondary.default.green}} {{colors.secondary.default.blue}}
+            emphasis_2 {{colors.tertiary.default.red}} {{colors.tertiary.default.green}} {{colors.tertiary.default.blue}}
+            emphasis_3 {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+        }
+        ribbon_selected {
+            base {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            background {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_0 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_1 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_2 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_3 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+        }
+        table_title {
+            base {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_1 {{colors.secondary.default.red}} {{colors.secondary.default.green}} {{colors.secondary.default.blue}}
+            emphasis_2 {{colors.tertiary.default.red}} {{colors.tertiary.default.green}} {{colors.tertiary.default.blue}}
+            emphasis_3 {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+        }
+        table_cell_unselected {
+            base {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_1 {{colors.secondary.default.red}} {{colors.secondary.default.green}} {{colors.secondary.default.blue}}
+            emphasis_2 {{colors.tertiary.default.red}} {{colors.tertiary.default.green}} {{colors.tertiary.default.blue}}
+            emphasis_3 {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+        }
+        table_cell_selected {
+            base {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            background {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_0 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_1 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_2 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_3 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+        }
+        list_unselected {
+            base {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_1 {{colors.secondary.default.red}} {{colors.secondary.default.green}} {{colors.secondary.default.blue}}
+            emphasis_2 {{colors.tertiary.default.red}} {{colors.tertiary.default.green}} {{colors.tertiary.default.blue}}
+            emphasis_3 {{colors.on_surface.default.red}} {{colors.on_surface.default.green}} {{colors.on_surface.default.blue}}
+        }
+        list_selected {
+            base {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            background {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            emphasis_0 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_1 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_2 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+            emphasis_3 {{colors.on_primary.default.red}} {{colors.on_primary.default.green}} {{colors.on_primary.default.blue}}
+        }
+        frame_unselected {
+            base {{colors.outline_variant.default.red}} {{colors.outline_variant.default.green}} {{colors.outline_variant.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 0
+            emphasis_1 0
+            emphasis_2 0
+            emphasis_3 0
+        }
+        frame_selected {
+            base {{colors.primary.default.red}} {{colors.primary.default.green}} {{colors.primary.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 0
+            emphasis_1 0
+            emphasis_2 0
+            emphasis_3 0
+        }
+        frame_highlight {
+            base {{colors.error.default.red}} {{colors.error.default.green}} {{colors.error.default.blue}}
+            background {{colors.surface.default.red}} {{colors.surface.default.green}} {{colors.surface.default.blue}}
+            emphasis_0 0
+            emphasis_1 0
+            emphasis_2 0
+            emphasis_3 0
+        }
+        exit_code_success {
+            base {{colors.success.default.red}} {{colors.success.default.green}} {{colors.success.default.blue}}
+            background 0
+            emphasis_0 0
+            emphasis_1 0
+            emphasis_2 0
+            emphasis_3 0
+        }
+        exit_code_error {
+            base {{colors.error.default.red}} {{colors.error.default.green}} {{colors.error.default.blue}}
+            background 0
+            emphasis_0 0
+            emphasis_1 0
+            emphasis_2 0
+            emphasis_3 0
+        }
+        multiplayer_user_colors {
+            player_1 0
+            player_2 0
+            player_3 0
+            player_4 0
+            player_5 0
+            player_6 0
+            player_7 0
+            player_8 0
+            player_9 0
+            player_10 0
+        }
+    }
+}

hosts/common/configs/user/console/zsh/default.nix

@@ -11,7 +11,7 @@
   home-manager.users.${user} = {
     programs.zsh = {
       enable = true;
-      dotDir = ".config/zsh";
+      dotDir = "${home}/.config/zsh";
       autocd = true;
       history = {
         path = "${home}/.local/share/zsh/history";

hosts/common/configs/user/gui/astal/config/widget/components/Tray.tsx

@@ -10,6 +10,12 @@ const TrayButton = ({ item }: { item: Tray.TrayItem }) => (
     tooltipMarkup={createBinding(item, "tooltipMarkup")}
     usePopover={false}
     menuModel={createBinding(item, "menuModel")}
+    onRealize={(self) => {
+      createBinding(item, "action_group").as((action_group) =>
+        self.insert_action_group("dbusmenu", action_group),
+      );
+      self.insert_action_group("dbusmenu", item.action_group);
+    }}
   >
     <icon gicon={createBinding(item, "gicon")} />
   </menubutton>

hosts/common/configs/user/gui/btop/default.nix

@@ -1,26 +0,0 @@
-{ user, home }:
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  home-manager.users.${user} = {
-    programs.btop.settings.color_theme = "matugen";
-
-    theme = {
-      template.".config/btop/themes/matugen.theme".source = ./theme.theme;
-
-      reloadExtraConfig = "${
-        lib.meta.getExe (
-          pkgs.writeShellApplication {
-            name = "reload-btop";
-            runtimeInputs = with pkgs; [ procps ];
-            text = "exec pkill btop -SIGUSR2";
-          }
-        )
-      } &";
-    };
-  };
-}

hosts/common/configs/user/gui/darktable/default.nix

@@ -1,24 +1,6 @@
 { user, home }:
+{ pkgs, ... }:
 {
-  config,
-  inputs,
-  pkgs,
-  system,
-  ...
-}:
-let
-  selfPkgs = inputs.self.packages.${system};
-  hmConfig = config.home-manager.users.${user};
-in
-{
-  nixpkgs.overlays = [
-    (final: prev: {
-      darktable = prev.darktable.overrideAttrs (oldAttrs: {
-        patches = oldAttrs.patches or [ ] ++ [ ./better-copy-and-import.patch ];
-      });
-    })
-  ];
-
   environment.persistence = {
     "/persist/state" = {
       "${home}/.config/darktable/data.db" = { };
@@ -28,21 +10,10 @@ in
   };
 
   home-manager.users.${user} = {
-    home = {
-      packages =
-        with pkgs;
-        with selfPkgs;
-        [
-          darktable
-          exiftool
-          darktable-ghost-cms-publish
-        ];
-
-      sessionVariables = {
-        GHOST_URL = "https://photos.karaolidis.com";
-        GHOST_ADMIN_API_KEY_PATH = hmConfig.sops.secrets."jupiter/photos.karaolidis.com/admin".path;
-      };
-    };
+    home.packages = with pkgs; [
+      darktable
+      exiftool
+    ];
 
     xdg.configFile = {
       "darktable/darktablerc".source = (pkgs.formats.keyValue { }).generate "darktablerc" {
@@ -69,19 +40,13 @@ in
 
       "darktable/luarc".text = ''
         require "tools/script_manager"
-        require "tools/publish"
       '';
 
-      "darktable/lua/lib".source = "${selfPkgs.darktable-lua-scripts}/lib";
+      "darktable/lua/lib".source = "${pkgs.darktable-lua-scripts}/lib";
       "darktable/lua/tools/script_manager.lua".source =
-        "${selfPkgs.darktable-lua-scripts}/tools/script_manager.lua";
-      "darktable/lua/tools/publish.lua".source =
-        "${selfPkgs.darktable-ghost-cms-publish}/lib/darktable-ghost-cms-publish/publish.lua";
+        "${pkgs.darktable-lua-scripts}/tools/script_manager.lua";
 
-      "darktable/luts".source = selfPkgs.darktable-hald-clut;
+      "darktable/luts".source = pkgs.darktable-hald-clut;
     };
-
-    sops.secrets."jupiter/photos.karaolidis.com/admin".sopsFile =
-      "${inputs.secrets}/personal/secrets.yaml";
   };
 }

hosts/common/configs/user/gui/gaming/steam/steam-ln.sh

@@ -26,7 +26,7 @@ is_excluded() {
 }
 
 for game in "$STEAM"/*/; do
-  name=$(basename "$game")
+  name="$(basename "$game")"
 
   if is_excluded "$name"; then
     echo "Excluding $name from symlink creation."
@@ -47,13 +47,13 @@ for game in "$STEAM"/*/; do
 done
 
 for link in "$GAMES"/*; do
-  target=$(readlink -f "$link")
+  target="$(readlink -f "$link" || echo "")"
 
   if [[ ! "$target" == "$STEAM/"* ]]; then
     continue
   fi
 
-  name=$(basename "$target")
+  name="$(basename "$target")"
 
   if [[ -e "$target" ]] && ! is_excluded "$name"; then
     continue

hosts/common/configs/user/gui/hyprland/default.nix

@@ -6,14 +6,6 @@
   ...
 }:
 {
-  nixpkgs.overlays = [
-    (final: prev: {
-      hyprland = prev.hyprland.overrideAttrs (oldAttrs: {
-        patches = oldAttrs.patches or [ ] ++ [ ./fix-maxwidth-resolution-mode.patch ];
-      });
-    })
-  ];
-
   programs.hyprland = {
     enable = true;
     withUWSM = true;
@@ -162,7 +154,7 @@
 
     programs.zsh = {
       loginExtra = lib.mkAfter ''
-        if uwsm check may-start; then
+        if uwsm check may-start > /dev/null; then
           exec uwsm start hyprland-uwsm.desktop
         fi
       '';

hosts/common/configs/user/gui/hyprsunset/default.nix

@@ -0,0 +1,5 @@
+{ user, home }:
+{ ... }:
+{
+  home-manager.users.${user}.services.hyprsunset.enable = true;
+}

hosts/common/configs/user/gui/kitty/default.nix

@@ -26,6 +26,56 @@ in
         enable_audio_bell = false;
       };
 
+      keybindings =
+        { }
+        // builtins.listToAttrs (
+          builtins.map
+            (k: {
+              name = k;
+              value = "no_op";
+            })
+            [
+              # Window management
+              "kitty_mod+enter"
+              "kitty_mod+n"
+              "kitty_mod+w"
+              "kitty_mod+]"
+              "kitty_mod+["
+              "kitty_mod+f"
+              "kitty_mod+b"
+              "kitty_mod+`"
+              "kitty_mod+r"
+              "kitty_mod+1"
+              "kitty_mod+2"
+              "kitty_mod+3"
+              "kitty_mod+4"
+              "kitty_mod+5"
+              "kitty_mod+6"
+              "kitty_mod+7"
+              "kitty_mod+8"
+              "kitty_mod+9"
+              "kitty_mod+0"
+              "kitty_mod+f7"
+              "kitty_mod+f8"
+
+              # Tab management
+              "kitty_mod+right"
+              "shift+cmd+]"
+              "ctrl+tab"
+              "kitty_mod+left"
+              "shift+cmd+["
+              "ctrl+shift+tab"
+              "kitty_mod+t"
+              "kitty_mod+q"
+              "kitty_mod+."
+              "kitty_mod+,"
+              "kitty_mod+alt+t"
+
+              # Layout management
+              "kitty_mod+l"
+            ]
+        );
+
       extraConfig = ''
         include theme.conf
       '';

hosts/common/configs/user/gui/mpv/default.nix

@@ -1,12 +1,6 @@
 { user, home }:
 { pkgs, ... }:
 {
-  nixpkgs.overlays = [
-    (final: prev: {
-      mpv = pkgs.mpv-unwrapped.wrapper { mpv = pkgs.mpv-unwrapped.override { cddaSupport = true; }; };
-    })
-  ];
-
   home-manager.users.${user} = {
     programs.mpv = {
       enable = true;

hosts/common/configs/user/gui/obsidian/default.nix

@@ -4,11 +4,9 @@
   lib,
   pkgs,
   inputs,
-  system,
   ...
 }:
 let
-  selfPkgs = inputs.self.packages.${system};
   hmConfig = config.home-manager.users.${user};
 in
 {
@@ -78,9 +76,9 @@ in
           }
         ];
 
-        communityPlugins = [
+        communityPlugins = with pkgs; [
           {
-            pkg = selfPkgs.obsidian-plugin-better-word-count;
+            pkg = obsidianPlugins.better-word-count;
             settings = {
               statusBar = [
                 {
@@ -106,7 +104,7 @@ in
             };
           }
           {
-            pkg = selfPkgs.obsidian-plugin-dataview;
+            pkg = obsidianPlugins.dataview;
             settings = {
               enableDataviewJs = true;
               enableInlineDataviewJs = true;
@@ -116,7 +114,7 @@ in
             };
           }
           {
-            pkg = selfPkgs.obsidian-plugin-excalidraw;
+            pkg = obsidianPlugins.excalidraw;
             settings = {
               folder = "Inbox";
               templateFilePath = "Templates";
@@ -139,7 +137,7 @@ in
             };
           }
           {
-            pkg = selfPkgs.obsidian-plugin-kanban;
+            pkg = obsidianPlugins.kanban;
             settings = {
               move-tags = true;
               move-dates = true;
@@ -153,7 +151,7 @@ in
             };
           }
           {
-            pkg = selfPkgs.obsidian-plugin-languagetool;
+            pkg = obsidianPlugins.languagetool;
             settings = {
               shouldAutoCheck = true;
               pickyMode = true;
@@ -162,7 +160,7 @@ in
             };
           }
           {
-            pkg = selfPkgs.obsidian-plugin-linter;
+            pkg = obsidianPlugins.linter;
             settings = {
               lintOnSave = true;
               displayChanged = false;
@@ -302,7 +300,7 @@ in
             };
           }
           {
-            pkg = selfPkgs.obsidian-plugin-map-view;
+            pkg = obsidianPlugins.map-view;
             settings = {
               "markerIconRules" = [
                 {
@@ -388,21 +386,21 @@ in
             };
           }
           {
-            pkg = selfPkgs.obsidian-plugin-minimal-settings;
+            pkg = obsidianPlugins.minimal-settings;
             settings = {
               editorFont = "var(--font-monospace)";
             };
           }
           {
-            pkg = selfPkgs.obsidian-plugin-outliner;
+            pkg = obsidianPlugins.outliner;
             settings = {
               styleLists = false;
               stickCursor = "never";
             };
           }
-          (selfPkgs.obsidian-plugin-style-settings)
+          (obsidianPlugins.style-settings)
           {
-            pkg = selfPkgs.obsidian-plugin-tasks;
+            pkg = obsidianPlugins.tasks;
             settings = {
               globalQuery = "short mode";
               globalFilter = "#todo";
@@ -548,10 +546,10 @@ in
               };
             };
           }
-          (selfPkgs.obsidian-plugin-url-into-selection)
+          (obsidianPlugins.url-into-selection)
         ];
 
-        themes = [ selfPkgs.obsidian-theme-minimal ];
+        themes = with pkgs; [ obsidianThemes.minimal ];
 
         hotkeys = {
           "command-palette:open" = [ { key = "F1"; } ];
@@ -608,6 +606,7 @@ in
       }
     ) hmConfig.programs.obsidian.vaults;
 
-    sops.secrets."google/cloud/obsidian/geocoding".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+    sops.secrets."google/cloud/obsidian/geocoding".sopsFile =
+      "${inputs.secrets}/domains/personal/secrets.yaml";
   };
 }

hosts/common/configs/user/gui/spicetify/default.nix

@@ -7,18 +7,9 @@
   ...
 }:
 let
-  selfLib = inputs.self.lib.${system};
   hmConfig = config.home-manager.users.${user};
 in
 {
-  nixpkgs.overlays = [
-    (final: prev: {
-      spicetify-cli = prev.spicetify-cli.overrideAttrs (oldAttrs: {
-        patches = oldAttrs.patches or [ ] ++ [ ./user-colors.patch ];
-      });
-    })
-  ];
-
   networking.firewall = {
     allowedTCPPorts = [ 57621 ];
     allowedUDPPorts = [ 5353 ];
@@ -64,21 +55,21 @@ in
         ];
       };
 
-    sops.secrets."spotify/username".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+    sops.secrets."spotify/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
 
     xdg.configFile = {
       "spotify/prefs.init" = {
         source = ./config/prefs;
         onChange = ''
-          ${selfLib.runtime.merge.keyValue} "${home}/.config/spotify/prefs.init" "${home}/.config/spotify/prefs"
+          ${lib.runtime.merge.keyValue} "${home}/.config/spotify/prefs.init" "${home}/.config/spotify/prefs"
         '';
       };
 
       "spotify/prefs-user.init" = {
         source = ./config/prefs-user;
         onChange = ''
-          user = $(cat "${hmConfig.sops.secrets."spotify/username".path}")
-          ${selfLib.runtime.merge.keyValue} "${home}/.config/spotify/prefs-user.init" "${home}/.config/spotify/Users/''${user}-user/prefs"
+          user=$(cat "${hmConfig.sops.secrets."spotify/username".path}")
+          ${lib.runtime.merge.keyValue} "${home}/.config/spotify/prefs-user.init" "${home}/.config/spotify/Users/''${user}-user/prefs"
         '';
       };
     };

hosts/common/configs/user/gui/vscode/copilot.nix

@@ -0,0 +1,24 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+lib.mkIf config.programs.vscode.copilot.enable {
+  programs.vscode.profiles.default = {
+    extensions = with pkgs.vscode-extensions; [
+      github.copilot
+      github.copilot-chat
+    ];
+
+    userSettings = {
+      "github.copilot.enable" = {
+        "*" = true;
+        plaintext = true;
+        markdown = true;
+      };
+
+      "chat.editing.alwaysSaveWithGeneratedChanges" = true;
+    };
+  };
+}

hosts/common/configs/user/gui/vscode/default.nix

@@ -83,6 +83,7 @@ in
           "terminal.integrated.fontFamily" =
             builtins.concatStringsSep ", " hmConfig.theme.font.monospace.names;
           "terminal.integrated.fontSize" = hmConfig.theme.font.size;
+          "terminal.integrated.smoothScrolling" = true;
           "update.mode" = "none";
           "window.autoDetectColorScheme" = true;
           "window.autoDetectHighContrast" = false;

hosts/common/configs/user/gui/vscode/langs/hugo/default.nix

@@ -0,0 +1,11 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+lib.mkIf config.programs.vscode.languages.hugo.enable {
+  programs.vscode.profiles.default.extensions = with pkgs.vscode-extensions; [
+    budparr.language-hugo-vscode
+  ];
+}

hosts/common/configs/user/gui/vscode/options.nix

@@ -1,17 +1,10 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-let
-  cfg = config.programs.vscode;
-in
+{ lib, ... }:
 {
   options.programs.vscode = with lib; {
     languages = {
       c.enable = mkEnableOption "C";
       go.enable = mkEnableOption "Go";
+      hugo.enable = mkEnableOption "Hugo";
       java.enable = mkEnableOption "Java";
       jinja.enable = mkEnableOption "Jinja";
       lua.enable = mkEnableOption "Lua";
@@ -34,6 +27,7 @@ in
   imports = [
     ./langs/c
     ./langs/go
+    ./langs/hugo
     ./langs/java
     ./langs/jinja
     ./langs/lua
@@ -48,28 +42,7 @@ in
     ./langs/svelte
     ./langs/typescript
     ./langs/yaml
+
+    ./copilot.nix
   ];
-
-  config = {
-    programs.vscode.profiles.default = {
-      extensions =
-        with pkgs.vscode-extensions;
-        [ ]
-        ++ lib.lists.optionals cfg.copilot.enable [
-          github.copilot
-          github.copilot-chat
-        ];
-
-      userSettings = lib.mkMerge [
-        (lib.mkIf cfg.copilot.enable {
-          "github.copilot.enable" = {
-            "*" = true;
-            plaintext = true;
-            markdown = true;
-          };
-          "chat.editing.alwaysSaveWithGeneratedChanges" = true;
-        })
-      ];
-    };
-  };
 }

hosts/elara/README.md

@@ -4,7 +4,12 @@
 
 This host uses private SAS repositories. You can find the imports for these in:
 
-- [./default.nix](./default.nix)
-- [./users/nikara/default.nix](./users/nikara/default.nix)
+You must build the system once with `sas.build.private = false;`. Then, connect to the SAS VPN, and rebuild the system.
 
-You must build the system once with these imports commented out. Then, connect to the SAS VPN, uncomment them, and rebuild the system.
+## Installation Instructions
+
+1. Using a separate Nix system, run `hosts/elara/build-tarball.sh`
+2. Copy the generated tarball to the Elara host
+3. On the Elara host, run `wsl --import NixOS $env:USERPROFILE\NixOS nixos.wsl --version 2` in PowerShell
+4. Enable `cgroup v2` support by setting `kernelCommandLine=cgroup_no_v1=all` in `.wslconfig` in your Windows home directory
+5. Optionally, run `wsl --set-default nixos` to make NixOS the default WSL distribution

hosts/elara/build-tarball.sh

@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+temp=$(mktemp -d)
+
+cleanup() {
+  rm -rf "$temp"
+}
+trap cleanup EXIT
+
+install -d -m 755 "$temp/etc/ssh"
+cp ./submodules/secrets/hosts/elara/ssh_host_ed25519_key "$temp/etc/ssh/ssh_host_ed25519_key"
+
+install -d -m 700 "$temp/home/nikara"
+install -d -m 755 "$temp/home/nikara/.config/sops-nix"
+cp ./submodules/secrets/domains/sas/key.txt "$temp/home/nikara/.config/sops-nix/key.txt"
+
+sudo nix run .#nixosConfigurations.elara.config.system.build.tarballBuilder -- \
+  --extra-files "$temp" \
+  --chown /home/nikara 1000:100

hosts/elara/configs/git/default.nix

@@ -1,39 +0,0 @@
-{
-  config,
-  inputs,
-  system,
-  lib,
-  ...
-}:
-let
-  selfPkgs = inputs.self.packages.${system};
-in
-# Configured for the root user to allow private builds
-{
-  sops.secrets."ssh/sas/ed25519/key" = {
-    sopsFile = "${inputs.secrets}/sas/secrets.yaml";
-    key = "ssh/ed25519/key";
-    path = "/root/.ssh/ssh_sas_ed25519_key";
-  };
-
-  programs.ssh = {
-    extraConfig = ''
-      Host github.com
-        User git
-        HostName github.com
-        IdentityFile /root/.ssh/ssh_sas_ed25519_key
-
-      Host gitlab.sas.com
-        User git
-        HostName gitlab.sas.com
-        IdentityFile /root/.ssh/ssh_sas_ed25519_key
-    '';
-
-    knownHostsFiles =
-      with selfPkgs;
-      (
-        [ ssh-known-hosts-github ]
-        ++ lib.lists.optionals config.sas.build.private [ ssh-known-hosts-sas-gitlab ]
-      );
-  };
-}

hosts/elara/configs/nix/default.nix

@@ -0,0 +1,4 @@
+{ inputs, ... }:
+{
+  nix.registry.sas.flake = inputs.sas;
+}

hosts/elara/configs/pki/default.nix

@@ -1,15 +1,11 @@
 {
   config,
-  inputs,
-  system,
   lib,
+  pkgs,
   ...
 }:
-let
-  selfPkgs = inputs.self.packages.${system};
-in
 {
-  security.pki.certificateFiles = lib.lists.optionals config.sas.build.private [
-    "${selfPkgs.sas-cacert}/etc/ssl/certs/ca-bundle.crt"
-  ];
+  security.pki.certificateFiles =
+    with pkgs;
+    lib.lists.optionals config.sas.build.private [ "${sas-cacert}/etc/ssl/certs/ca-bundle.crt" ];
 }

hosts/elara/configs/podman/default.nix

@@ -0,0 +1,4 @@
+{ lib, ... }:
+{
+  virtualisation.containers.storage.settings.storage.driver = lib.mkForce "overlay";
+}

hosts/elara/configs/ssh/default.nix

@@ -0,0 +1,46 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  sops.secrets = {
+    "ssh/personal/key" = {
+      sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+      key = "ssh/key";
+      path = "/root/.ssh/ssh_personal_ed25519_key";
+    };
+
+    "ssh/sas/ed25519/key" = {
+      sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+      key = "ssh/ed25519/key";
+      path = "/root/.ssh/ssh_sas_ed25519_key";
+    };
+  };
+
+  programs.ssh = {
+    extraConfig = ''
+      Host karaolidis.com
+        User git
+        HostName karaolidis.com
+        IdentityFile /root/.ssh/ssh_personal_ed25519_key
+        IdentitiesOnly yes
+
+      Host github.sas.com
+        User git
+        HostName github.com
+        IdentityFile /root/.ssh/ssh_sas_ed25519_key
+        IdentitiesOnly yes
+        UserKnownHostsFile ${pkgs.sshKnownHosts.github}
+
+      Host gitlab.sas.com
+        User git
+        HostName gitlab.sas.com
+        IdentityFile /root/.ssh/ssh_sas_ed25519_key
+        IdentitiesOnly yes
+        ${lib.strings.optionalString config.sas.build.private "UserKnownHostsFile ${pkgs.sshKnownHosts.sas-gitlab}"}
+    '';
+  };
+}

hosts/elara/default.nix

@@ -1,63 +1,49 @@
-{ config, inputs, ... }:
+{ inputs, lib, ... }:
 {
-  imports = [
-    ./options.nix
+  nixpkgs.overlays = [
+    inputs.lib.overlays.default
+    inputs.self.overlays.default
+    inputs.nur.overlays.default
+    inputs.sas.overlays.default
+  ];
+
+  imports = [
+    inputs.nixos-wsl.nixosModules.default
+    inputs.sas.nixosModules.default
 
-    inputs.disko.nixosModules.disko
-    ./format.nix
     ./hardware
+    ./options.nix
 
     ../common/configs/system
 
-    ../common/configs/system/bluetooth
-    ../common/configs/system/boot
-    ../common/configs/system/brightnessctl
-    ../common/configs/system/btrbk
-    ../common/configs/system/btrfs
-    ../common/configs/system/cloudflared
-    ../common/configs/system/dnsmasq
     ../common/configs/system/documentation
-    ../common/configs/system/getty
     ../common/configs/system/git
-    ../common/configs/system/gpg-agent
     ../common/configs/system/impermanence
-    ../common/configs/system/libvirt
     ../common/configs/system/neovim
-    ../common/configs/system/networkmanager
     ../common/configs/system/nix
-    ../common/configs/system/nix-cleanup
-    ../common/configs/system/nix-install
     ../common/configs/system/nix-ld
     ../common/configs/system/nix-update
     ../common/configs/system/nixpkgs
-    ../common/configs/system/ntp
-    ../common/configs/system/pipewire
     ../common/configs/system/podman
-    ../common/configs/system/power
-    ../common/configs/system/printing
-    ../common/configs/system/smartmontools
     ../common/configs/system/sops
     ../common/configs/system/ssh
-    ../common/configs/system/ssh-agent
+    ../common/configs/system/sshd
     ../common/configs/system/sudo
     ../common/configs/system/system
-    ../common/configs/system/timezone
-    ../common/configs/system/tmux
-    ../common/configs/system/upower
     ../common/configs/system/users
     ../common/configs/system/zsh
 
-    ./configs/git
-    "${inputs.secrets}/hosts/elara/configs/globalprotect"
+    ./configs/nix
     ./configs/pki
+    ./configs/podman
+    ./configs/ssh
 
     ./users/nikara
   ];
 
   networking.hostName = "elara";
 
-  sas.build.private = true;
+  sas.build.private = false;
 
-  environment.impermanence.device =
-    config.disko.devices.disk.usb.content.partitions.root.content.content.device;
+  environment.impermanence.enable = lib.mkForce false;
 }

hosts/elara/format.nix

@@ -1,87 +0,0 @@
-{
-  disko.devices = {
-    disk.usb = {
-      device = "/dev/disk/by-id/ata-Samsung_SSD_990_EVO_1TB_S7GCNL0XA04998F";
-      type = "disk";
-      content = {
-        type = "gpt";
-        partitions = {
-          boot = {
-            name = "boot";
-            size = "1M";
-            type = "EF02";
-          };
-          esp = {
-            name = "esp";
-            size = "512M";
-            type = "EF00";
-            content = {
-              type = "filesystem";
-              format = "vfat";
-              mountpoint = "/boot";
-              mountOptions = [ "umask=0077" ];
-            };
-          };
-          swap = {
-            name = "swap";
-            size = "32G";
-            content = {
-              type = "swap";
-              resumeDevice = true;
-            };
-          };
-          root = {
-            name = "root";
-            size = "100%";
-            content = {
-              name = "usb";
-              type = "luks";
-              passwordFile = "/tmp/keyfile";
-              settings = {
-                allowDiscards = true;
-              };
-              content = {
-                type = "btrfs";
-                extraArgs = [ "-f" ];
-                subvolumes =
-                  let
-                    mountOptions = [
-                      "compress=zstd:3"
-                      "noatime"
-                      "user_subvol_rm_allowed"
-                    ];
-                  in
-                  {
-                    "@" = {
-                      mountpoint = "/";
-                      inherit mountOptions;
-                    };
-                    "@persist" = {
-                      mountpoint = "/persist";
-                      inherit mountOptions;
-                    };
-                    "@persist/user" = {
-                      mountpoint = "/persist/user";
-                      inherit mountOptions;
-                    };
-                    "@persist/state" = {
-                      mountpoint = "/persist/state";
-                      inherit mountOptions;
-                    };
-                    "@persist/cache" = {
-                      mountpoint = "/persist/cache";
-                      inherit mountOptions;
-                    };
-                    "@nix" = {
-                      mountpoint = "/nix";
-                      inherit mountOptions;
-                    };
-                  };
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/elara/hardware/default.nix

@@ -1,19 +1,10 @@
 { ... }:
 {
-  boot.initrd.kernelModules = [
-    "xhci_pci"
-    "uas"
-    "sd_mod"
-  ];
+  imports = [ ./display.nix ];
 
-  services.tlp.settings.DISK_DEVICES = "sda";
-
-  # By default, this host runs on an external SSD attached to himalia...
-  imports = [ ../../himalia/hardware ];
-
-  # ...but it can also run attached to a SAS-provided laptop.
-  specialisation.sas.configuration = {
-    disabledModules = [ ../../himalia/hardware ];
-    imports = [ ./sas ];
+  wsl = {
+    enable = true;
+    tarball.configPath = ../../../.;
+    startMenuLaunchers = true;
   };
 }

hosts/elara/hardware/display.nix

@@ -0,0 +1,6 @@
+{ ... }:
+{
+  home-manager.sharedModules = [
+    { programs.vscode.profiles.default.userSettings."window.zoomLevel" = (1.25 - 1) / 0.2; }
+  ];
+}

hosts/elara/hardware/sas/default.nix

@@ -1,25 +0,0 @@
-{ ... }:
-{
-  imports = [ ./display.nix ];
-
-  hardware = {
-    enableAllFirmware = true;
-
-    cpu = {
-      cores = 8;
-      threads = 12;
-      intel.updateMicrocode = true;
-    };
-  };
-
-  boot = {
-    kernelModules = [ "kvm-intel" ];
-    initrd.kernelModules = [
-      "thunderbolt"
-      "vmd"
-      "nvme"
-    ];
-  };
-
-  services.fstrim.enable = true;
-}

hosts/elara/hardware/sas/display.nix

@@ -1,30 +0,0 @@
-{ ... }:
-{
-  boot.kernelParams = [ "video=eDP-1:1920x1200@60" ];
-
-  home-manager.sharedModules = [
-    {
-      wayland.windowManager.hyprland.settings = {
-        monitor = [
-          "eDP-1, preferred, 0x0, 1"
-          ", maxwidth, auto-center-up, 1"
-        ];
-
-        workspace = [
-          "1, monitor:eDP-1, layoutopt:orientation:left"
-          "2, monitor:eDP-1, layoutopt:orientation:left"
-          "3, monitor:eDP-1, layoutopt:orientation:left"
-          "4, monitor:eDP-1, layoutopt:orientation:left"
-          "5, monitor:eDP-1, layoutopt:orientation:left"
-          "6, monitor:eDP-1, layoutopt:orientation:left"
-          "7, monitor:eDP-1, layoutopt:orientation:left"
-          "8, monitor:eDP-1, layoutopt:orientation:left"
-          "9, monitor:eDP-1, layoutopt:orientation:left"
-          "10, monitor:eDP-1, layoutopt:orientation:left"
-        ];
-      };
-
-      programs.vscode.profiles.default.userSettings."window.zoomLevel" = (1.25 - 1) / 0.2;
-    }
-  ];
-}

hosts/elara/users/nikara/configs/console/c/default.nix

@@ -1,9 +0,0 @@
-{ user, home }:
-{ pkgs, ... }:
-{
-  home-manager.users.${user}.home.packages = with pkgs; [
-    gcc
-    cmake
-    gnumake
-  ];
-}

hosts/elara/users/nikara/configs/console/git/default.nix

@@ -1,109 +0,0 @@
-{ user, home }:
-{
-  config,
-  inputs,
-  lib,
-  system,
-  pkgs,
-  ...
-}:
-let
-  hmConfig = config.home-manager.users.${user};
-  selfPkgs = inputs.self.packages.${system};
-in
-{
-  home-manager.users.${user} = {
-    sops = {
-      secrets = {
-        "git/credentials/personal/git.karaolidis.com/admin/username" = {
-          sopsFile = "${inputs.secrets}/personal/secrets.yaml";
-          key = "git/credentials/git.karaolidis.com/admin/username";
-        };
-
-        "git/credentials/personal/git.karaolidis.com/admin/password" = {
-          sopsFile = "${inputs.secrets}/personal/secrets.yaml";
-          key = "git/credentials/git.karaolidis.com/admin/password";
-        };
-
-        "git/credentials/sas/github.com/admin/username" = {
-          sopsFile = "${inputs.secrets}/sas/secrets.yaml";
-          key = "git/credentials/github.com/admin/username";
-        };
-
-        "git/credentials/sas/github.com/admin/password" = {
-          sopsFile = "${inputs.secrets}/sas/secrets.yaml";
-          key = "git/credentials/github.com/admin/password";
-        };
-      };
-
-      templates."git/credentials" = {
-        content = ''
-          https://${hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/admin/username"}:${
-            hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/admin/password"
-          }@git.karaolidis.com
-          https://${hmConfig.sops.placeholder."git/credentials/sas/github.com/admin/username"}:${
-            hmConfig.sops.placeholder."git/credentials/sas/github.com/admin/password"
-          }@github.com
-        '';
-        path = "${home}/.config/git/credentials";
-      };
-    };
-
-    programs = {
-      git.extraConfig.core.sshCommand = lib.meta.getExe (
-        pkgs.writeShellApplication {
-          name = "git-ssh-key-wrapper";
-          runtimeInputs = with pkgs; [ openssh ];
-          text = builtins.readFile ./git-ssh-key-wrapper.sh;
-        }
-      );
-
-      ssh = {
-        matchBlocks = {
-          "github.com" = {
-            hostname = "github.com";
-            user = "git";
-            identityFile = [
-              "${home}/.ssh/ssh_sas_ed25519_key"
-              "${home}/.ssh/ssh_personal_ed25519_key"
-            ];
-          };
-
-          "gitlab.sas.com" = {
-            hostname = "gitlab.sas.com";
-            user = "git";
-            identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
-          };
-
-          "gerrit-svi.unx.sas.com" = {
-            hostname = "gerrit-svi.unx.sas.com";
-            user = "nikara";
-            port = 29418;
-            identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
-          };
-
-          "artifactlfs.unx.sas.com" = {
-            hostname = "artifactlfs.unx.sas.com";
-            user = "nikara";
-            port = 1339;
-            identityFile = "${home}/.ssh/ssh_sas_rsa_key";
-          };
-        };
-
-        userKnownHostsFiles =
-          with selfPkgs;
-          (
-            [
-              ssh-known-hosts-github
-              ssh-known-hosts-gitlab
-            ]
-            ++ lib.lists.optionals config.sas.build.private [
-              ssh-known-hosts-sas-gitlab
-              ssh-known-hosts-sas-gerrit
-              ssh-known-hosts-sas-artifact
-            ]
-          );
-      };
-    };
-  };
-}

hosts/elara/users/nikara/configs/console/git/git-ssh-key-wrapper.sh

@@ -1,16 +0,0 @@
-# shellcheck shell=bash
-
-key="$HOME/.ssh/ssh_personal_ed25519_key"
-
-if [[ "$*" == *"git@github.com"* ]]; then
-  if [[ "$*" == *"sas-institute-rnd-product/"* ||
-        "$*" == *"sas-institute-rnd-internal/"* ||
-        "$*" == *"sas-institute-rnd-pipeline-test/"* ||
-        "$*" == *"_sasinst/"* ]]; then
-    key="$HOME/.ssh/ssh_sas_ed25519_key"
-  fi
-
-  exec ssh -i "$key" "$@"
-fi
-
-exec ssh "$@"

hosts/elara/users/nikara/configs/console/go/default.nix

@@ -1,26 +0,0 @@
-{ user, home }:
-{ pkgs, ... }:
-{
-  environment.persistence."/persist/cache"."${home}/.local/share/go" = { };
-
-  home-manager.users.${user} = {
-    programs.go = {
-      enable = true;
-      goPath = ".local/share/go";
-    };
-
-    home = {
-      packages = with pkgs; [
-        gopls
-        go-tools
-        golangci-lint
-        golangci-lint-langserver
-      ];
-
-      sessionVariables = {
-        GOPROXY = "goproxy.unx.sas.com";
-        GONOSUMDB = "*.sas.com,sassoftware.io";
-      };
-    };
-  };
-}

hosts/elara/users/nikara/configs/console/gpg/default.nix

@@ -1,5 +1,10 @@
 { user, home }:
-{ config, inputs, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
 let
   hmConfig = config.home-manager.users.${user};
 in
@@ -7,22 +12,22 @@ in
   home-manager.users.${user} = {
     sops.secrets = {
       "gpg/personal/key" = {
-        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+        sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
         key = "gpg/key";
       };
 
       "gpg/personal/pass" = {
-        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+        sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
         key = "gpg/pass";
       };
 
       "gpg/sas/key" = {
-        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
+        sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
         key = "gpg/key";
       };
 
       "gpg/sas/pass" = {
-        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
+        sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
         key = "gpg/pass";
       };
     };

hosts/elara/users/nikara/configs/console/gradle/default.nix

@@ -1,23 +0,0 @@
-{ user, home }:
-{ config, pkgs, ... }:
-let
-  hmConfig = config.home-manager.users.${user};
-in
-{
-  environment.persistence."/persist/cache"."${home}/.local/share/gradle" = { };
-
-  home-manager.users.${user} = {
-    programs.gradle = {
-      enable = true;
-      home = ".local/share/gradle";
-    };
-
-    sops.templates."gradle.properties" = {
-      content = ''
-        cdpUser=${hmConfig.sops.placeholder."artifactory/cdp/user"}
-        cdpPassword=${hmConfig.sops.placeholder."artifactory/cdp/password"}
-      '';
-      path = "${home}/.local/share/gradle/gradle.properties";
-    };
-  };
-}

hosts/elara/users/nikara/configs/console/java/default.nix

@@ -1,8 +0,0 @@
-{ user, home }:
-{ pkgs, ... }:
-{
-  home-manager.users.${user}.programs.java = {
-    enable = true;
-    package = pkgs.jdk17;
-  };
-}

hosts/elara/users/nikara/configs/console/kubernetes/default.nix

@@ -1,17 +0,0 @@
-{ user, home }:
-{ pkgs, ... }:
-{
-  nixpkgs.overlays = [
-    (final: prev: {
-      telepresence = prev.telepresence.overrideAttrs (oldAttrs: {
-        patches = oldAttrs.patches or [ ] ++ [ ./extend-timeout.patch ];
-      });
-    })
-  ];
-
-  home-manager.users.${user}.home.packages = with pkgs; [
-    telepresence
-    kubeval
-    calicoctl
-  ];
-}

hosts/elara/users/nikara/configs/console/neovim/default.nix

@@ -0,0 +1,6 @@
+{ user, home }:
+{ pkgs, ... }:
+{
+  home-manager.users.${user}.programs.nvf.settings.vim.clipboard.providers.wl-copy.package =
+    pkgs.wsl-wl-clipboard;
+}

hosts/elara/users/nikara/configs/console/podman/default.nix

@@ -10,41 +10,45 @@ let
   hmConfig = config.home-manager.users.${user};
 in
 {
-  home-manager.users.${user}.sops = {
-    secrets = {
-      "registry/personal/docker.io" = {
-        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
-        key = "registry/docker.io";
+  home-manager.users.${user} = {
+    sops = {
+      secrets = {
+        "registry/personal/git.karaolidis.com" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "registry/git.karaolidis.com";
+        };
+
+        "registry/personal/docker.io" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "registry/docker.io";
+        };
+
+        "registry/sas/cr.sas.com" = {
+          sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+          key = "registry/cr.sas.com";
+        };
       };
 
-      "registry/personal/registry.karaolidis.com" = {
-        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
-        key = "registry/registry.karaolidis.com";
-      };
-
-      "registry/sas/cr.sas.com" = {
-        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
-        key = "registry/cr.sas.com";
+      templates.containers-auth = {
+        content = builtins.readFile (
+          (pkgs.formats.json { }).generate "auth.json" {
+            auths = {
+              "git.karaolidis.com" = {
+                auth = hmConfig.sops.placeholder."registry/personal/git.karaolidis.com";
+              };
+              "docker.io" = {
+                auth = hmConfig.sops.placeholder."registry/personal/docker.io";
+              };
+              "cr.sas.com" = {
+                auth = hmConfig.sops.placeholder."registry/sas/cr.sas.com";
+              };
+            };
+          }
+        );
+        path = "${home}/.config/containers/auth.json";
       };
     };
 
-    templates.containers-auth = {
-      content = builtins.readFile (
-        (pkgs.formats.json { }).generate "auth.json" {
-          auths = {
-            "docker.io" = {
-              auth = hmConfig.sops.placeholder."registry/personal/docker.io";
-            };
-            "registry.karaolidis.com" = {
-              auth = hmConfig.sops.placeholder."registry/personal/registry.karaolidis.com";
-            };
-            "cr.sas.com" = {
-              auth = hmConfig.sops.placeholder."registry/sas/cr.sas.com";
-            };
-          };
-        }
-      );
-      path = "${home}/.config/containers/auth.json";
-    };
+    services.podman.settings.storage.storage.driver = lib.mkForce "overlay";
   };
 }

hosts/elara/users/nikara/configs/console/sas/default.nix

@@ -1,8 +1,84 @@
 { user, home }:
-{ inputs, ... }:
 {
-  home-manager.users.${user}.sops.secrets = {
-    "artifactory/cdp/user".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
-    "artifactory/cdp/password".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
+  config,
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  hmConfig = config.home-manager.users.${user};
+in
+{
+  environment.persistence."/persist/cache" = {
+    "${home}/.local/share/go" = { };
+    "${home}/.local/share/gradle" = { };
+  };
+
+  home-manager.users.${user} = {
+    sops = {
+      secrets = {
+        "artifactory/cdp/user".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+        "artifactory/cdp/password".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+        "viya/orders-api/key".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+        "viya/orders-api/secret".sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+      };
+
+      templates."gradle.properties" = {
+        content = ''
+          cdpUser=${hmConfig.sops.placeholder."artifactory/cdp/user"}
+          cdpPassword=${hmConfig.sops.placeholder."artifactory/cdp/password"}
+        '';
+        path = "${home}/.local/share/gradle/gradle.properties";
+      };
+    };
+
+    programs = {
+      go = {
+        enable = true;
+        goPath = ".local/share/go";
+      };
+
+      gradle = {
+        enable = true;
+        home = ".local/share/gradle";
+      };
+
+      java = {
+        enable = true;
+        package = pkgs.jdk17;
+      };
+    };
+
+    home = {
+      packages =
+        with pkgs;
+        [
+          gcc
+          gopls
+          go-tools
+          delve
+          golangci-lint
+          golangci-lint-langserver
+        ]
+        ++ lib.lists.optionals config.sas.build.private [
+          viya4-orders-cli
+          sagew
+          sonder
+          klog
+        ];
+
+      sessionVariables = {
+        GOPROXY = "goproxy.unx.sas.com";
+        GONOSUMDB = "*.sas.com,sassoftware.io";
+      };
+    };
+
+    xdg.configFile."viya4-orders-cli/config.yaml" = lib.mkIf config.sas.build.private {
+      source = (pkgs.formats.yaml { }).generate "config.yaml" {
+        clientCredentialsIdFile = hmConfig.sops.secrets."viya/orders-api/key".path;
+        clientCredentialsSecretFile = hmConfig.sops.secrets."viya/orders-api/secret".path;
+      };
+    };
   };
 }

hosts/elara/users/nikara/configs/console/ssh/default.nix

@@ -2,70 +2,212 @@
 {
   config,
   inputs,
-  system,
+  pkgs,
   lib,
   ...
 }:
 let
   hmConfig = config.home-manager.users.${user};
-  selfPkgs = inputs.self.packages.${system};
 in
 {
   home-manager.users.${user} = {
-    sops.secrets = {
-      "ssh/personal/key" = {
-        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
-        key = "ssh/key";
-        path = "${home}/.ssh/ssh_personal_ed25519_key";
+    sops = {
+      secrets = {
+        "ssh/personal/key" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "ssh/key";
+          path = "${home}/.ssh/ssh_personal_ed25519_key";
+        };
+
+        "ssh/personal/pass" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "ssh/pass";
+        };
+
+        "ssh/sas/ed25519/key" = {
+          sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+          key = "ssh/ed25519/key";
+          path = "${home}/.ssh/ssh_sas_ed25519_key";
+        };
+
+        "ssh/sas/ed25519/pass" = {
+          sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+          key = "ssh/ed25519/pass";
+        };
+
+        "ssh/sas/rsa/key" = {
+          sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+          key = "ssh/rsa/key";
+          path = "${home}/.ssh/ssh_sas_rsa_key";
+        };
+
+        "ssh/sas/rsa/pass" = {
+          sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+          key = "ssh/rsa/pass";
+        };
+
+        "git/credentials/personal/git.karaolidis.com/username" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/git.karaolidis.com/username";
+        };
+
+        "git/credentials/personal/git.karaolidis.com/tokens/admin" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/git.karaolidis.com/tokens/admin";
+        };
+
+        "git/credentials/sas/github.com/username" = {
+          sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+          key = "git/credentials/github.com/username";
+        };
+
+        "git/credentials/sas/github.com/tokens/admin" = {
+          sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
+          key = "git/credentials/github.com/tokens/admin";
+        };
+
+        "git/credentials/personal/github.com/username" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/github.com/username";
+        };
+
+        "git/credentials/personal/github.com/tokens/admin" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/github.com/tokens/admin";
+        };
+
+        "git/credentials/personal/gitlab.com/username" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/gitlab.com/username";
+        };
+
+        "git/credentials/personal/gitlab.com/tokens/admin" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/gitlab.com/tokens/admin";
+        };
+
+        "git/credentials/personal/gitea.com/username" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/gitea.com/username";
+        };
+
+        "git/credentials/personal/gitea.com/tokens/admin" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          key = "git/credentials/gitea.com/tokens/admin";
+        };
       };
 
-      "ssh/personal/pass" = {
-        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
-        key = "ssh/pass";
-      };
-
-      "ssh/sas/ed25519/key" = {
-        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
-        key = "ssh/ed25519/key";
-        path = "${home}/.ssh/ssh_sas_ed25519_key";
-      };
-
-      "ssh/sas/ed25519/pass" = {
-        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
-        key = "ssh/ed25519/pass";
-      };
-
-      "ssh/sas/rsa/key" = {
-        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
-        key = "ssh/rsa/key";
-        path = "${home}/.ssh/ssh_sas_rsa_key";
-      };
-
-      "ssh/sas/rsa/pass" = {
-        sopsFile = "${inputs.secrets}/sas/secrets.yaml";
-        key = "ssh/rsa/pass";
+      templates."git/credentials" = {
+        content = ''
+          https://${hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/personal/git.karaolidis.com/tokens/admin"
+          }@git.karaolidis.com
+          https://${hmConfig.sops.placeholder."git/credentials/sas/github.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/sas/github.com/tokens/admin"
+          }@github.com
+          https://${hmConfig.sops.placeholder."git/credentials/personal/gitlab.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/personal/gitlab.com/tokens/admin"
+          }@gitlab.com
+          https://${hmConfig.sops.placeholder."git/credentials/personal/gitea.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/personal/gitea.com/tokens/admin"
+          }@gitea.com
+        '';
+        path = "${home}/.config/git/credentials";
       };
     };
 
     programs = {
-      ssh = {
-        matchBlocks = {
-          "karaolidis.com" = {
-            hostname = "karaolidis.com";
-            user = "nick";
-            identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-          };
-
-          "cldlgn.fyi.sas.com" = {
-            inherit user;
-            hostname = "cldlgn.fyi.sas.com";
-            identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
-          };
+      ssh.matchBlocks = {
+        "karaolidis.com" = {
+          hostname = "karaolidis.com";
+          user = "nick";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
         };
 
-        userKnownHostsFiles =
-          with selfPkgs;
-          lib.lists.optionals config.sas.build.private [ ssh-known-hosts-sas-cldlgn ];
+        "tunnel.karaolidis.com" = {
+          hostname = "tunnel.karaolidis.com";
+          user = "nick";
+          port = 2222;
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+        };
+
+        "github.com" = {
+          hostname = "github.com";
+          user = "git";
+          identityFile = [ "${home}/.ssh/ssh_personal_ed25519_key" ];
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.github;
+        };
+
+        "gitlab.com" = {
+          hostname = "gitlab.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitlab;
+        };
+
+        "gitea.com" = {
+          hostname = "gitea.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitea;
+        };
+
+        "github.sas.com" = {
+          hostname = "github.com";
+          user = "git";
+          identityFile = [ "${home}/.ssh/ssh_sas_ed25519_key" ];
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.github
+          );
+        };
+
+        "cldlgn.fyi.sas.com" = {
+          inherit user;
+          hostname = "cldlgn.fyi.sas.com";
+          identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.sas-cldlgn
+          );
+        };
+
+        "gitlab.sas.com" = {
+          hostname = "gitlab.sas.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.sas-gitlab
+          );
+        };
+
+        "gerrit-svi.unx.sas.com" = {
+          hostname = "gerrit-svi.unx.sas.com";
+          user = "nikara";
+          port = 29418;
+          identityFile = "${home}/.ssh/ssh_sas_ed25519_key";
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.sas-gerrit
+          );
+        };
+
+        "artifactlfs.unx.sas.com" = {
+          hostname = "artifactlfs.unx.sas.com";
+          user = "nikara";
+          port = 1339;
+          identityFile = "${home}/.ssh/ssh_sas_rsa_key";
+          userKnownHostsFile = lib.mkIf config.sas.build.private (
+            builtins.toString pkgs.sshKnownHosts.sas-artifact
+          );
+        };
+      };
+
+      git.extraConfig.url = {
+        "git@github.sas.com:sas-institute-rnd-product".insteadOf =
+          "git@github.com:sas-institute-rnd-product";
+        "git@github.sas.com:sas-institute-rnd-internal".insteadOf =
+          "git@github.com:sas-institute-rnd-internal";
+        "git@github.sas.com:sas-institute-rnd-pipeline-test".insteadOf =
+          "git@github.com:sas-institute-rnd-pipeline-test";
+        "git@github.sas.com:Nick-Karaolidis_sasinst".insteadOf = "git@github.com:Nick-Karaolidis_sasinst";
       };
 
       clipbook.bookmarks = {

hosts/elara/users/nikara/configs/console/viya4-orders-cli/default.nix

@@ -1,29 +0,0 @@
-{ user, home }:
-{
-  config,
-  inputs,
-  pkgs,
-  system,
-  ...
-}:
-let
-  selfPkgs = inputs.self.packages.${system};
-  hmConfig = config.home-manager.users.${user};
-in
-{
-  home-manager.users.${user} = {
-    sops.secrets = {
-      "viya/orders-api/key".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
-      "viya/orders-api/secret".sopsFile = "${inputs.secrets}/sas/secrets.yaml";
-    };
-
-    home.packages = [ selfPkgs.viya4-orders-cli ];
-
-    xdg.configFile."viya4-orders-cli/config.yaml".source =
-      (pkgs.formats.yaml { }).generate "config.yaml"
-        {
-          clientCredentialsIdFile = hmConfig.sops.secrets."viya/orders-api/key".path;
-          clientCredentialsSecretFile = hmConfig.sops.secrets."viya/orders-api/secret".path;
-        };
-  };
-}

hosts/elara/users/nikara/configs/console/wsl/default.nix

@@ -0,0 +1,5 @@
+{ user, home }:
+{ pkgs, ... }:
+{
+  home-manager.users.${user}.home.packages = with pkgs; [ wsl-wl-clipboard ];
+}

hosts/elara/users/nikara/configs/gui/kitty/default.nix

@@ -0,0 +1,5 @@
+{ user, home }:
+{ ... }:
+{
+  home-manager.users.${user}.programs.kitty.settings.hide_window_decorations = true;
+}

hosts/elara/users/nikara/configs/gui/obsidian/default.nix

@@ -1,23 +1,5 @@
 { user, home }:
 { ... }:
 {
-  home-manager.users.${user} = {
-    programs.obsidian.vaults = {
-      "Documents/Obsidian/personal/master".enable = true;
-      "Documents/Obsidian/sas/master".enable = true;
-    };
-
-    services.syncthing.settings.folders.obsidian = {
-      label = "Obsidian";
-      path = "${home}/Documents/Obsidian/personal";
-      devices = [
-        "amalthea"
-        "ganymede"
-      ];
-      maxConflicts = 0;
-    };
-
-    home.file."Documents/Obsidian/personal/.stignore".source =
-      ../../../../../../common/configs/user/gui/obsidian/.stignore;
-  };
+  home-manager.users.${user}.programs.obsidian.vaults."Documents/Obsidian/master".enable = true;
 }

hosts/elara/users/nikara/configs/gui/vscode/default.nix

@@ -1,21 +1,30 @@
 { user, home }:
-{ ... }:
+{ lib, ... }:
 {
-  home-manager.users.${user}.programs.vscode.languages = {
-    c.enable = true;
-    go.enable = true;
-    java.enable = true;
-    jinja.enable = true;
-    lua.enable = true;
-    markdown.enable = true;
-    nix.enable = true;
-    podman.enable = true;
-    python.enable = true;
-    rest.enable = true;
-    rust.enable = true;
-    sas.enable = true;
-    sops.enable = true;
-    typescript.enable = true;
-    yaml.enable = true;
+  home-manager.users.${user} = {
+    programs.vscode = {
+      languages = {
+        c.enable = true;
+        go.enable = true;
+        hugo.enable = true;
+        java.enable = true;
+        jinja.enable = true;
+        lua.enable = true;
+        markdown.enable = true;
+        nix.enable = true;
+        podman.enable = true;
+        python.enable = true;
+        rest.enable = true;
+        rust.enable = true;
+        sas.enable = true;
+        sops.enable = true;
+        typescript.enable = true;
+        yaml.enable = true;
+      };
+
+      copilot.enable = true;
+    };
+
+    home.sessionVariables.DONT_PROMPT_WSL_INSTALL = "1";
   };
 }

hosts/elara/users/nikara/default.nix

@@ -14,8 +14,7 @@ in
   imports = [
     (import ../../../common/configs/user { inherit user home; })
 
-    (import ../../../common/configs/user/console/android { inherit user home; })
-    (import ../../../common/configs/user/console/brightnessctl { inherit user home; })
+    (import ../../../common/configs/user/console/attic { inherit user home; })
     (import ../../../common/configs/user/console/btop { inherit user home; })
     (import ../../../common/configs/user/console/dive { inherit user home; })
     (import ../../../common/configs/user/console/fastfetch { inherit user home; })
@@ -27,83 +26,48 @@ in
     (import ../../../common/configs/user/console/ip { inherit user home; })
     (import ../../../common/configs/user/console/jq { inherit user home; })
     (import ../../../common/configs/user/console/kubernetes { inherit user home; })
-    (import ../../../common/configs/user/console/libvirt { inherit user home; })
     (import ../../../common/configs/user/console/lsof { inherit user home; })
     (import ../../../common/configs/user/console/mprocs { inherit user home; })
     (import ../../../common/configs/user/console/ncdu { inherit user home; })
-    (import ../../../common/configs/user/console/ncspot { inherit user home; })
     (import ../../../common/configs/user/console/neovim { inherit user home; })
     (import ../../../common/configs/user/console/nix { inherit user home; })
-    (import ../../../common/configs/user/console/nix-cleanup { inherit user home; })
     (import ../../../common/configs/user/console/nix-develop { inherit user home; })
     (import ../../../common/configs/user/console/nix-direnv { inherit user home; })
     (import ../../../common/configs/user/console/ouch { inherit user home; })
-    (import ../../../common/configs/user/console/pipewire { inherit user home; })
     (import ../../../common/configs/user/console/podman { inherit user home; })
     (import ../../../common/configs/user/console/sops { inherit user home; })
     (import ../../../common/configs/user/console/ssh { inherit user home; })
     (import ../../../common/configs/user/console/ssh-agent { inherit user home; })
-    (import ../../../common/configs/user/console/syncthing { inherit user home; })
-    (import ../../../common/configs/user/console/tmux { inherit user home; })
     (import ../../../common/configs/user/console/tree { inherit user home; })
     (import ../../../common/configs/user/console/wget { inherit user home; })
     (import ../../../common/configs/user/console/xdg { inherit user home; })
     (import ../../../common/configs/user/console/yazi { inherit user home; })
-    (import ../../../common/configs/user/console/yt-dlp { inherit user home; })
+    (import ../../../common/configs/user/console/zellij { inherit user home; })
     (import ../../../common/configs/user/console/zoxide { inherit user home; })
     (import ../../../common/configs/user/console/zsh { inherit user home; })
 
-    (import ../../../common/configs/user/gui/astal { inherit user home; })
-    (import ../../../common/configs/user/gui/bluetooth { inherit user home; })
-    (import ../../../common/configs/user/gui/btop { inherit user home; })
-    (import ../../../common/configs/user/gui/clipbook { inherit user home; })
-    (import ../../../common/configs/user/gui/cliphist { inherit user home; })
-    (import ../../../common/configs/user/gui/emoji { inherit user home; })
-    (import ../../../common/configs/user/gui/feh { inherit user home; })
-    (import ../../../common/configs/user/gui/firefox { inherit user home; })
     (import ../../../common/configs/user/gui/gtk { inherit user home; })
-    (import ../../../common/configs/user/gui/hypridle { inherit user home; })
-    (import ../../../common/configs/user/gui/hyprland { inherit user home; })
-    (import ../../../common/configs/user/gui/hyprpicker { inherit user home; })
-    (import ../../../common/configs/user/gui/hyprshot { inherit user home; })
     (import ../../../common/configs/user/gui/kitty { inherit user home; })
-    (import ../../../common/configs/user/gui/libreoffice { inherit user home; })
-    (import ../../../common/configs/user/gui/mpv { inherit user home; })
-    (import ../../../common/configs/user/gui/networkmanager { inherit user home; })
-    (import ../../../common/configs/user/gui/obs { inherit user home; })
     (import ../../../common/configs/user/gui/obsidian { inherit user home; })
-    (import ../../../common/configs/user/gui/pipewire { inherit user home; })
-    (import ../../../common/configs/user/gui/qalculate { inherit user home; })
     (import ../../../common/configs/user/gui/qt { inherit user home; })
-    (import ../../../common/configs/user/gui/rofi { inherit user home; })
-    (import ../../../common/configs/user/gui/rquickshare { inherit user home; })
-    (import ../../../common/configs/user/gui/swww { inherit user home; })
     (import ../../../common/configs/user/gui/theme { inherit user home; })
     (import ../../../common/configs/user/gui/vscode { inherit user home; })
-    (import ../../../common/configs/user/gui/wev { inherit user home; })
-    (import ../../../common/configs/user/gui/wl-clipboard { inherit user home; })
-    (import ../../../common/configs/user/gui/x11 { inherit user home; })
-    (import ../../../common/configs/user/gui/xdg { inherit user home; })
 
-    (import ./configs/console/c { inherit user home; })
-    (import ./configs/console/git { inherit user home; })
-    (import ./configs/console/go { inherit user home; })
     (import ./configs/console/gpg { inherit user home; })
-    (import ./configs/console/gradle { inherit user home; })
-    (import ./configs/console/java { inherit user home; })
-    (import ./configs/console/kubernetes { inherit user home; })
+    (import ./configs/console/neovim { inherit user home; })
     (import ./configs/console/podman { inherit user home; })
     (import ./configs/console/sas { inherit user home; })
     (import ./configs/console/ssh { inherit user home; })
-    (import ./configs/console/viya4-orders-cli { inherit user home; })
+    (import ./configs/console/wsl { inherit user home; })
 
+    (import ./configs/gui/kitty { inherit user home; })
     (import ./configs/gui/obsidian { inherit user home; })
     (import ./configs/gui/vscode { inherit user home; })
   ];
 
   # mkpasswd -s
   sops.secrets."${user}-password" = {
-    sopsFile = "${inputs.secrets}/sas/secrets.yaml";
+    sopsFile = "${inputs.secrets}/domains/sas/secrets.yaml";
     key = "password";
     neededForUsers = true;
   };
@@ -121,9 +85,13 @@ in
     ];
     linger = true;
     uid = lib.strings.toInt (builtins.readFile ./uid);
+    openssh.authorizedKeys.keyFiles = [
+      "${inputs.secrets}/domains/personal/id_ed25519.pub"
+      "${inputs.secrets}/domains/sas/id_ed25519.pub"
+    ];
   };
 
-  services.getty.autologinUser = user;
+  wsl.defaultUser = user;
 
   home-manager.users.${user}.home = {
     username = user;

hosts/himalia/configs/ssh/default.nix

@@ -0,0 +1,15 @@
+{ inputs, ... }:
+{
+  sops.secrets."ssh/key" = {
+    sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+    path = "/root/.ssh/ssh_personal_ed25519_key";
+  };
+
+  programs.ssh.extraConfig = ''
+    Host karaolidis.com
+      User git
+      HostName karaolidis.com
+      IdentityFile /root/.ssh/ssh_personal_ed25519_key
+      IdentitiesOnly yes
+  '';
+}

hosts/himalia/default.nix

@@ -1,5 +1,11 @@
 { inputs, ... }:
 {
+  nixpkgs.overlays = [
+    inputs.lib.overlays.default
+    inputs.self.overlays.default
+    inputs.nur.overlays.default
+  ];
+
   imports = [
     inputs.disko.nixosModules.disko
     ./format.nix
@@ -15,8 +21,8 @@
     ../common/configs/system/documentation
     ../common/configs/system/getty
     ../common/configs/system/git
-    ../common/configs/system/gpg-agent
     ../common/configs/system/impermanence
+    ../common/configs/system/lanzaboote
     ../common/configs/system/libvirt
     ../common/configs/system/neovim
     ../common/configs/system/networkmanager
@@ -34,15 +40,16 @@
     ../common/configs/system/smartmontools
     ../common/configs/system/sops
     ../common/configs/system/ssh
-    ../common/configs/system/ssh-agent
+    ../common/configs/system/sshd
     ../common/configs/system/sudo
     ../common/configs/system/system
     ../common/configs/system/timezone
-    ../common/configs/system/tmux
     ../common/configs/system/upower
     ../common/configs/system/users
     ../common/configs/system/zsh
 
+    ./configs/ssh
+
     ./users/nick
   ];
 

hosts/himalia/hardware/keybinds.nix

@@ -29,18 +29,6 @@
               ", XF86Launch4, exec, ${asusctl} profile -n"
               ", XF86TouchpadToggle, exec, ${touchpadHelper} asuf1209:00-2808:0219-touchpad"
             ];
-
-          bind =
-            let
-              farmAura = lib.meta.getExe (
-                pkgs.writeShellApplication {
-                  name = "farm-aura";
-                  runtimeInputs = with pkgs; [ genact ];
-                  text = builtins.readFile ./scripts/farm-aura.sh;
-                }
-              );
-            in
-            [ ", XF86Launch3, exec, uwsm app -- $term ${farmAura}" ];
         };
     }
   ];

hosts/himalia/hardware/scripts/farm-aura.sh

@@ -1,13 +0,0 @@
-# shellcheck shell=bash
-
-SESSION_NAME="aura-farm-$$"
-
-tmux new-session -d -s "$SESSION_NAME" "genact -s 25"
-tmux set-hook -t "$SESSION_NAME" pane-exited "run-shell 'tmux kill-session -t $SESSION_NAME'"
-
-for _ in {1..4}; do
-  tmux split-window -t "$SESSION_NAME" -h "genact -s 25"
-done
-
-tmux select-layout -t "$SESSION_NAME" tiled
-tmux attach-session -t "$SESSION_NAME"

hosts/himalia/users/nick/configs/console/git/default.nix

@@ -1,48 +0,0 @@
-{ user, home }:
-{
-  config,
-  inputs,
-  lib,
-  system,
-  ...
-}:
-let
-  hmConfig = config.home-manager.users.${user};
-  selfPkgs = inputs.self.packages.${system};
-in
-{
-  home-manager.users.${user} = {
-    sops = {
-      secrets = {
-        "git/credentials/git.karaolidis.com/admin/username".sopsFile =
-          "${inputs.secrets}/personal/secrets.yaml";
-        "git/credentials/git.karaolidis.com/admin/password".sopsFile =
-          "${inputs.secrets}/personal/secrets.yaml";
-      };
-
-      templates."git/credentials" = {
-        content = ''
-          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/username"}:${
-            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/admin/password"
-          }@git.karaolidis.com
-        '';
-        path = "${home}/.config/git/credentials";
-      };
-    };
-
-    programs.ssh = {
-      matchBlocks = {
-        "github.com" = {
-          hostname = "github.com";
-          user = "git";
-          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
-        };
-      };
-
-      userKnownHostsFiles = with selfPkgs; [
-        ssh-known-hosts-github
-        ssh-known-hosts-gitlab
-      ];
-    };
-  };
-}

hosts/himalia/users/nick/configs/console/gpg/default.nix

@@ -6,8 +6,8 @@ in
 {
   home-manager.users.${user} = {
     sops.secrets = {
-      "gpg/key".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
-      "gpg/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+      "gpg/key".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+      "gpg/pass".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
     };
 
     programs.clipbook.bookmarks."GPG Passphrase".source = hmConfig.sops.secrets."gpg/pass".path;

hosts/himalia/users/nick/configs/console/podman/default.nix

@@ -11,20 +11,20 @@ in
 {
   home-manager.users.${user}.sops = {
     secrets = {
-      "registry/docker.io".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
-      "registry/registry.karaolidis.com".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+      "registry/git.karaolidis.com".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+      "registry/docker.io".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
     };
 
     templates."containers-auth.json" = {
       content = builtins.readFile (
         (pkgs.formats.json { }).generate "auth.json" {
           auths = {
+            "git.karaolidis.com" = {
+              auth = hmConfig.sops.placeholder."registry/git.karaolidis.com";
+            };
             "docker.io" = {
               auth = hmConfig.sops.placeholder."registry/docker.io";
             };
-            "registry.karaolidis.com" = {
-              auth = hmConfig.sops.placeholder."registry/registry.karaolidis.com";
-            };
           };
         }
       );

hosts/himalia/users/nick/configs/console/ssh/default.nix

@@ -1,19 +1,103 @@
 { user, home }:
-{ config, inputs, ... }:
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}:
 let
   hmConfig = config.home-manager.users.${user};
 in
 {
   home-manager.users.${user} = {
-    sops.secrets = {
-      "ssh/key" = {
-        sopsFile = "${inputs.secrets}/personal/secrets.yaml";
-        path = "${home}/.ssh/ssh_personal_ed25519_key";
+    sops = {
+      secrets = {
+        "ssh/key" = {
+          sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+          path = "${home}/.ssh/ssh_personal_ed25519_key";
+        };
+
+        "ssh/pass".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/git.karaolidis.com/username".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/git.karaolidis.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/github.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/github.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitlab.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitlab.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitea.com/username".sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
+
+        "git/credentials/gitea.com/tokens/admin".sopsFile =
+          "${inputs.secrets}/domains/personal/secrets.yaml";
       };
 
-      "ssh/pass".sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+      templates."git/credentials" = {
+        content = ''
+          https://${hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/git.karaolidis.com/tokens/admin"
+          }@git.karaolidis.com
+          https://${hmConfig.sops.placeholder."git/credentials/github.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/github.com/tokens/admin"
+          }@github.com
+          https://${hmConfig.sops.placeholder."git/credentials/gitlab.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/gitlab.com/tokens/admin"
+          }@gitlab.com
+          https://${hmConfig.sops.placeholder."git/credentials/gitea.com/username"}:${
+            hmConfig.sops.placeholder."git/credentials/gitea.com/tokens/admin"
+          }@gitea.com
+        '';
+        path = "${home}/.config/git/credentials";
+      };
     };
 
-    programs.clipbook.bookmarks."SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/pass".path;
+    programs = {
+      ssh.matchBlocks = {
+        "karaolidis.com" = {
+          hostname = "karaolidis.com";
+          user = "nick";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+        };
+
+        "tunnel.karaolidis.com" = {
+          hostname = "tunnel.karaolidis.com";
+          user = "nick";
+          port = 2222;
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+        };
+
+        "github.com" = {
+          hostname = "github.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.github;
+        };
+
+        "gitlab.com" = {
+          hostname = "gitlab.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitlab;
+        };
+
+        "gitea.com" = {
+          hostname = "gitea.com";
+          user = "git";
+          identityFile = "${home}/.ssh/ssh_personal_ed25519_key";
+          userKnownHostsFile = builtins.toString pkgs.sshKnownHosts.gitea;
+        };
+      };
+
+      clipbook.bookmarks."SSH Key Passphrase".source = hmConfig.sops.secrets."ssh/pass".path;
+    };
   };
 }

hosts/himalia/users/nick/configs/gui/vscode/default.nix

@@ -4,6 +4,7 @@
   home-manager.users.${user}.programs.vscode.languages = {
     c.enable = true;
     go.enable = true;
+    hugo.enable = true;
     java.enable = true;
     lua.enable = true;
     markdown.enable = true;

hosts/himalia/users/nick/default.nix

@@ -15,6 +15,7 @@ in
     (import ../../../common/configs/user { inherit user home; })
 
     (import ../../../common/configs/user/console/android { inherit user home; })
+    (import ../../../common/configs/user/console/attic { inherit user home; })
     (import ../../../common/configs/user/console/brightnessctl { inherit user home; })
     (import ../../../common/configs/user/console/btop { inherit user home; })
     (import ../../../common/configs/user/console/dive { inherit user home; })
@@ -43,18 +44,17 @@ in
     (import ../../../common/configs/user/console/ssh { inherit user home; })
     (import ../../../common/configs/user/console/ssh-agent { inherit user home; })
     (import ../../../common/configs/user/console/syncthing { inherit user home; })
-    (import ../../../common/configs/user/console/tmux { inherit user home; })
     (import ../../../common/configs/user/console/tree { inherit user home; })
     (import ../../../common/configs/user/console/wget { inherit user home; })
     (import ../../../common/configs/user/console/xdg { inherit user home; })
     (import ../../../common/configs/user/console/yazi { inherit user home; })
     (import ../../../common/configs/user/console/yt-dlp { inherit user home; })
+    (import ../../../common/configs/user/console/zellij { inherit user home; })
     (import ../../../common/configs/user/console/zoxide { inherit user home; })
     (import ../../../common/configs/user/console/zsh { inherit user home; })
 
     (import ../../../common/configs/user/gui/astal { inherit user home; })
     (import ../../../common/configs/user/gui/bluetooth { inherit user home; })
-    (import ../../../common/configs/user/gui/btop { inherit user home; })
     (import ../../../common/configs/user/gui/clipbook { inherit user home; })
     (import ../../../common/configs/user/gui/cliphist { inherit user home; })
     (import ../../../common/configs/user/gui/darktable { inherit user home; })
@@ -74,6 +74,7 @@ in
     (import ../../../common/configs/user/gui/hyprland { inherit user home; })
     (import ../../../common/configs/user/gui/hyprpicker { inherit user home; })
     (import ../../../common/configs/user/gui/hyprshot { inherit user home; })
+    (import ../../../common/configs/user/gui/hyprsunset { inherit user home; })
     (import ../../../common/configs/user/gui/kitty { inherit user home; })
     (import ../../../common/configs/user/gui/libreoffice { inherit user home; })
     (import ../../../common/configs/user/gui/mpv { inherit user home; })
@@ -94,7 +95,6 @@ in
     (import ../../../common/configs/user/gui/x11 { inherit user home; })
     (import ../../../common/configs/user/gui/xdg { inherit user home; })
 
-    (import ./configs/console/git { inherit user home; })
     (import ./configs/console/gpg { inherit user home; })
     (import ./configs/console/podman { inherit user home; })
     (import ./configs/console/ssh { inherit user home; })
@@ -106,7 +106,7 @@ in
 
   # mkpasswd -s
   sops.secrets."${user}-password" = {
-    sopsFile = "${inputs.secrets}/personal/secrets.yaml";
+    sopsFile = "${inputs.secrets}/domains/personal/secrets.yaml";
     key = "password";
     neededForUsers = true;
   };
@@ -124,6 +124,7 @@ in
     ];
     linger = true;
     uid = lib.strings.toInt (builtins.readFile ./uid);
+    openssh.authorizedKeys.keyFiles = [ "${inputs.secrets}/domains/personal/id_ed25519.pub" ];
   };
 
   services.getty.autologinUser = user;