diff --git a/flake.lock b/flake.lock
index 739c8dc..0e512f4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -789,11 +789,11 @@
       },
       "locked": {
         "dir": "nix",
-        "lastModified": 1738281090,
-        "narHash": "sha256-WLdHHGCSaLjQ1DbZVsphHysWjnhs26JzXUaS+7RYfrg=",
+        "lastModified": 1738337180,
+        "narHash": "sha256-XXT8rGyMd1ow4jnir8qfLfYIwU2TgzDjpz6amMvs8ac=",
         "owner": "daylinmorgan",
         "repo": "tsm",
-        "rev": "2aab7c23de890700a1ce1c7f651c04478105393b",
+        "rev": "9a22c559c5b13472528fc2f814149af7b341dfe5",
         "type": "github"
       },
       "original": {
diff --git a/hosts/algiz/default.nix b/hosts/algiz/default.nix
index 825e0e3..ede8aed 100644
--- a/hosts/algiz/default.nix
+++ b/hosts/algiz/default.nix
@@ -36,11 +36,4 @@
 
   # git user handles the forgjo ssh authentication
   users.users.git.isNormalUser = true;
-
-  sops = {
-    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-    defaultSopsFile = ./secrets.yaml;
-    # by default is accessible only by root:root which should work with above service
-    secrets.restic-algiz = { };
-  };
 }
diff --git a/hosts/algiz/secrets.nix b/hosts/algiz/secrets.nix
new file mode 100644
index 0000000..a39fe27
--- /dev/null
+++ b/hosts/algiz/secrets.nix
@@ -0,0 +1,12 @@
+{ ... }:
+{
+  sops = {
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    defaultSopsFile = ./secrets.yaml;
+
+    # by default is accessible only by root:root which should work with above service
+    secrets.restic-algiz = { };
+    secrets.atticd-env = { };
+  };
+
+}
diff --git a/hosts/algiz/secrets.yaml b/hosts/algiz/secrets.yaml
index 2ff8412..915adf4 100644
--- a/hosts/algiz/secrets.yaml
+++ b/hosts/algiz/secrets.yaml
@@ -1,4 +1,5 @@
 restic-algiz: ENC[AES256_GCM,data:r7z1s5pSEIlg2laRmY4D,iv:nfajL8J2A8G80NqMBw/t1tFXCsK9JbTzUgFTisf5JLk=,tag:LWOT9vVzuinXD+AYwk35jA==,type:str]
+atticd-env: ENC[AES256_GCM,data:1g89RSXvMSm1lyEp+ndCAEB+Y/sSpbcbiOb4tuhu9PbUMSCYJwNTLpx+iHb9WZI5B8jlR/Hu9fVxJS/2vkYftrfueeMFktfnfphWphTtPRr5TBYIMhc5XNnJTpYiweLJjoNXQursZIm5U8N74FDAO4KPNVbgU0Sh/AikJwAF23S2eqKKr7hdizaj94k6Fc77o/ckWrx5r+o9Sl+XqB8WN1pJlKI1rDHigjHx3j/I1WBAiRhqApyav1QPfQe7zi7NCvhJaxIuTtCLpu9tB6l5z1ZzIlAlN9CqqAMdeXvfMoGLOxaYlu0zCfWZ9WT8mIxG3HWSurv8tfn0dtShWJnlfKNAn4GvM2y+EEmco1YaYMtbPcX1+xCN2D/+RHMty5zQ3tbVUxh6Vw0doiLVaLk8P/kKwkE0OdpHBTjmoi1Jw94xpDd0vAbERfvzDb//lpQNm1HBCJGSu/sGBrrqgLn6aqCwW/J2m2rYkkSL1+0NJN8nJD3MMSti+V072cqSxs9lqldGReG9maXgt17dxShuW63RqpXCsY5jir//Uvt7mz3/iz4Pq8ycPIKSedqApSo+qL4iI23Xunt49ch01oF3BRncLB++Q36xultHBT+HzOEkQUGXKwP2OFzJO5FwAkB8Y6WtktGcmESouBBy4EUD6M+pDb1MF54jTlwIM4mkbmg33nYEFjEeG/Jh5kMaJR4mrnJDOwQUC28NG9rD+HY8Uj1UHyz6hYhakDSYt4b1AsKesrwjTqNqq0kytobxjlHmOa74Bng7pKtOo/h0kyXAwitUgY7CVVLIqqwdvBsxEl9qYJRDgGZrKYZiURseREcKwTiVLN8Gp6JOHM+eGAcD2x1jxpLygg65c337x3Icv1Y3xSTrdvpkla556svyddDIv0AlG8wewPfGPKWNowAqg3ABbVwia49c2FRihve3FXUxIMobT2ASJWwZ/5Trx147SXkDL5N9R9dQEAE3Wk2JkIEk9UjKjNsMwzI3FMJMUPgr4O5mYBStBTKV49s26SvLfVGWCEf/Pyr0FRqsavpo6QWYL44w0wRrG6I/5rEU2BthYkTOXiEqYkDcyOWMYYRb3/FVmyLZCp4MVPMmUji/2E4dNha6XpkLt7T5dgVe25HAHsIZXg/f/vv7Pmco7xcBBffjAl1Gy8r1jqOZtcNilJcMJM96/x6TBeCN5uHEvE8TCkuEpSvfNnAnNFqEQd4fjJ1zl38AQrDbt3PmcE2xfB08pnumURBrse07bja5FuEKjm8y78ilyLSMs2bBOEvvk2PmwEnWOl0aapDbByyiuIWhyHzGn50aPX/0S8xqmjx+7EuEKN86GgiRAacaiH/EB0FS/IzD9eaBFJvlqEPyPrm/RFQmj0uE0o1jQMlUi+onmZIOz+TWxf2CnJOtgr8KJLs9imVmQoXxoAq/oaFWZQDoM5ljqa8qMsAoQTdmHL69wtYwbiagIEIq7ubQHDezkM4BtS+YZS6masGZEDAVfpvfznnU03pVAwrAqcTjbrQ/bv8fBBphny0QkGw12LsXkcUsNfC7TuN9hES5jULxYA+VZ4SYLqYa39G36qfndw5MMpLBCCkWrrfP2BGcO+Htqur4HcONER8IpAMsF7hqsLo44TeNHxJsFCZdf7Sb//KrOon/lDcNkYmEvU3u28TzgjipNi3dvaXcY4uhz6pCgBozs838qb6DBPDjL6v23B6m97+BOtjS8F9sRBAtRhXDp0/nRbWwK3jwdugS+UA/s4hdM2RxkZkdNteW5HRcX/GRocT9HEqojFPIB9FrSWgs4QSHUdly4boi9A/CXudRUEWUuwcJTKaQcbtdBdxmmVR9zq4sX00470cD+qPVqhc+QPfcj70iPtWxAbBqwQ1YEHhYM3B750mfIe2/oLxU1KZodygFfmOr9Yc+o45DtaWJwf/mUfxkWXDFjHhEEyHovsM63I/sQIOWYvmXg0dqwXg4MWk7siBwhcQZE4ppT6MmN1f5HVI3r6r8jv+RcHjYbn29P8gI8a9jiXvYXO2eQj7kziB+TWu9NvYzU9MqFNY9PiCJNBMpnuEFRtsd6xltr+xvEPLNZhBDMo+v4iIbA42f678RgNqlRvzS5cG+lXTGxovWGXyDCzINNmcCu8LFj2UbcKmYtZ/fpkoxrC5YOYWPNsz0Vyx6DdNg+pQUeUQiZZZsstvrGWXpOHXdS3x1OqI07panF7xxWR2mB1x/fnqlcwaJ4b1yOV28ysTqkSrzt8tBCxZtZYJ95csYdw0MpTg4rvbo/1O7d337lItOgQHUHLhSQnI7QiGvAOvHzY3eALJTXrhuVQSaopy6QcE+tiGsulQPrBwaVJB5XMZ61JjtfXubyyROYAej1/7cLU3r0mI2kWfSvmxbj4IL17cbbhuDXRaUDhpOSyuIYB+RjNJ8gnHpy8MmOBAC5aEYD+9DvjEcNIOKDMm/8lFkWsqviWPVtpO+/GHKKN4D1AkGUWNTUX7USG+gXTxkeWFNTjMwXgCMOUyVRp6FIM/eMG+5ZjXBk2w28BJ7kXzsCVDLXriHZhfGN36gsdaAe/8ACUvvLo1lESIIUKk5xuknHUcUMP76zZen63SJxoW/3Kp4zIlPktVnPZs+6H5HRIQhaRJVrHuceNLAB+MAyQfRPxalq1j22Q9hfpnZIyc/pa4j3VnsmYUXSA3F6UpLimUWE85fx58CjmTkxHZwra0aIJMp3hRJSdziUIXy53qp1bOVePRK028rd0yqJTQGp5l9RHE7yMXjEn2XF9zQHLm7+U8lOaT4omaOHZir4zvBbvzSjuXh4TQSe1lQ2qwzYjuIGjmCSlQ6yvhuyl7681ZHZ6zPFylkRU1TJbcj06IfAN6qEcIBxZ1MpSiNi0ClX+zl0iNXJ6cCWpljt9oCx4rnz9f2p2fuJn2z0kYSAM7ro4HFkBsOuKi4YmiMX4K4VEZWkYq0OKMSs59GZfMeBqZ8/RcCJLcvZ5nOEOrDk3MQo8KLxM8/37Mu6cg+wWXwflqji37/flqqBylWMqZgPzgtcWTjk2XnrcRSO6nxp0LPkTxYWNh5BiILpx2FwdfRTWz6GVH3/j1UGqKHkrHASUZv2Z6slXHhErgy8nv8vE8yDQPvHmfIC6eoHtb8n0dt8YV+0VLk7+M5+JDd4lw1UdTi29SyOOmcjUjMmaW/elicSM3mH+ioqoTJ97d1wdFqW7QyIXvTkE20QmGbd/q9xcl0h8BJMcuWSwOjou4tyIo3qz7Q98awvOpo2JgSSSati6Q/9uD79r1ylwtVMZ5ASYCUZxV+YEs0iZxMPSjXgx+s5qVwhoMRaExR29+X9eOR+Ej29Mkd5rgZVyGKd+L/4+YGJ5ujaeeD3aUValRAQjoLCHEpGjQoBG6l5mN7PHEVrpL/ygkoT+nVxpNiPNgjsrgc/TWn3nwlM3y2kSDuOXr3ZUEK2U2K+pzLjhxGw1NEYPqoa91uBkSQ7yrIoUz7HczcquSeXp8Sra2yqL9QXVHtDiGWxx0CYNKHFNQZTF7G/cEvpcp2pY+ZzudCT+tjdX78X7MZYS3CyqBrn6K37J6vZ6tagAKdM5hXExWZs+KEuOKGS/4ZVM0rbIaqSW2TxJ1h0opZFpcRp8mPd608o5eRQCQwLPzsNFcOiipbrnSH0VomDt7ZaLx2q2KVqtSA1sAv8+4eE5O/K0ULQj6+Bt/Lxzy66Ptk22Cj6Sbcn7ti/o9LD4W8eCkOH+UGBHhGcmy97jloNTPWN1V78LZl6h3zZguFzx91Gk+Kzj3opxX4MzRlmGofemP/5xTcxz0caQV8V4/7AthSkhk0UH0lQwdgzvAWscbCxrHSlgg08fta6KcGu6zsFOcUwAAvZzzFGzfz4m6YEgHoDASDFxf7litdWsYv/tT/Ajo38Cu+P8GMTRd0ZjTkLAPptZZjIFh24He9GtikM0LdI0t3rU5/KG/RvsRfKBZ/Nz5whY6yc8RviFzmP/V8/BF2IqUkUVcux/gui2v9zJxRg9e7whKDvimC/yiPIIeXGEn58go/XO6QbKMKVQyUG9DfqKiS0uUXfuMx6lQfjDOMgwTpZnd6LryUsNTbsGKCgPpsLGvHgAKs/TovUEZFTdBvoLekYHpHisz5VzqciMK6b0ZpbWvFBD9hwgpqsUUgR6x90/wwMzQUWnvCPG7utNvfCEItpq9ab5zGv7ESPG8evF5T+DRHZlVSbUasQPK9igK3iZ+CofXBAq4+wTtsnair2NL/ps7+5oLNZB7RaQU+PBnCaerBiG4iQT4YvqKMtCTbZznKGjUQinUuSkGC+QCXIFw9VHUaI2NbzbcphyY/zphO3ZcOSweINOCw/kzBudlQ3Zsa5NGTjBkjlenGwYjfg8Mc2l1q6/2paiHbCSzaDNHxUnV+5leBkeH2leT6v8aARBMM1azyRPn2lz5KgQ+LN4o1XmCmo2BeSoVSMnyhj8zygYZLywgfiN7k/BgrY06OyVQNTt0C4PeIvQuNHEJnpabahyJvE2gpmknjN0DAeYdTkqTejoYpGtR/xltDLvs+/1oCPYP9ik6cwFwa59eFIbObnpuoH93MsTiyV2dkasjLqzqB8kkO7m2IhDoWOFMZyEmTFY0nzbYwdh2rLdHceGz5gXYITvcEDCTsg86jN8bU86KpCH/dYInyyYO//tJPx91kOS8vavIvvbd33kbFJtzvb4bq36Na0uFQIL97vxxXvK80gP7DDUyOnMee9IdKGswUKrvvoszlQV/SrlzPS65MpDjJr+SqcFXUSdsbibNDIHtNw37Qy0TYNwQJAH80kws4wYUYzLAoHxPag6drGI2byrVKdK00GJnXV2hb3yGdIRGbrCs6PKWeLnctufwCtYFIouBXm2K+urmiqB+GCTQsS1730sj8kbHC1y+ClUv12FYKJYrA2WoSpHZ1hBNEEdL/aahPhYGUoCALHDpUaC/6ZTNYLw8y4XfcABF1bUOkU7P8PIatls9lOIN2kapsGg/WHW/oWZNynkv6qAeP41kz4wK0V7qVgyvxtooJpmDkMECF7EVSXIBloe26M4NNtClhaq2vbU94+enLpm1DTxJWcaiA06kJo+x33Rwx4/5Oh8xvQKPLMGJYrBLSRBsu7wMM0c9gOmjjc5NXoYNPZNOOCGfUeZ+io7EfC3UuxdJY3O1gWyZxzvO+PYn9zu79Tk8MhQYXezhMoVgrLFpZCq+6zPqXMgKjPNXV6gPJspeySVYc7w94I4q4K7yWvYnCkWL68+tA4nH3PKkcqrffd5AiBGvw50zBi04cN5rD5izqyD6SMgHBgV6TpMkojV64G7ExNo5CmZgznS2vJFRv2Hr7pGGatPZGjVKcsec27Hi6SYxfQGulgwOcLZs1EygoppMjRCxkrsxLnJba3rC0nEsPnM+guwUC/hPOrQ/QPo9MIE7QRtjfhDgKqLwcuZg9iI+qezJ8wr64coOb/JSA76vCIig1B/AmF1IVBbi/4wslfj95nVoRilcF/3b/+zc1obBHpq25/VGl0MSsnK7EhfSGdX/vmp358/fqqPgfBThUz1JsF3Rs3VzK6bmNQx0tS6KChZhBozChtT/nLCqDqznkiA6zGHb9m0H2USgzohWg5A+pZFBjuZm/CAM3iAECzA/MDQs15xzfop1rjRLpxnGuuViILZ+FZSWZfdWIq9X6VufTtcgnjU686bD+6tKNajyr6BdMGpkVunU6ji7++DiXBqcwLf/xl2oLDgcxkoA4tZG9bURkDFkTW2TEqmAJFkV93yIz8hekRi8+NNTNODx6kIhc2TXNGhI4jQxn+7wtub/cgSt3hlBaz37B7qPtv4XSxKDEWO4Zuw==,iv:daN5ZNc34U7W2VaVRNxOeJ4WkhewD9jSB+5gKB+DR50=,tag:6f8DD8lt22bMy7BtYXJ6Zg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -23,8 +24,8 @@ sops:
             VGJ3VDErbWtnMElrRDNpK2RZTC9MY1kK93dUrPBjgL6kpLBUS3+b14R+bm/AFE/T
             sm7mxMUVNQVBIYshcl/WtD0yoYDHwW6uLc+KaCwhYDiMFz45zHcn0Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-29T01:19:00Z"
-    mac: ENC[AES256_GCM,data:J8jbVgwtqck2Sis03re93cVyFw1tMrPc+nnWmlDGoLWh6Jrxq8n+Eac7nsIxU/pZVnY+1x68lAz/2+YHPe8zxChz3f6O2ebscQaAo9M7gG76W2Rt6pDtrKXL7U2pDbjx0p5RwZQM/1tdeRbuUvJk/PYPJONiPVgi/bL6chd2Tew=,iv:brwJE8CZY0K6iRqB9ZUG1AwPfkISoSax692NZoyaNVQ=,tag:7/7V/jw/cgsCSJryrRMJMA==,type:str]
+    lastmodified: "2025-01-31T16:21:32Z"
+    mac: ENC[AES256_GCM,data:SDuACnnJ1+ZHha9uBDnSQvoZzzLM0U7aCAqNde5PYre9EKdElx8jBLGwRcANEIGrHPZrQ0VMIB+fphGi0+UFy0VfI6iR+RjDjnPSp6FV8IzITimrHskKmfPCWB6FvEygkLUkRuWKc2uWGc2cL39wyHRIQiK8oK4/iP9TdXEOtPI=,iv:QFUYCd+99D7x+ukzIYPbY2wszDzyk/x898GoZDMeR/U=,tag:lRvt5LiwETbl3TQ4bx5auw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.4
diff --git a/hosts/algiz/services.nix b/hosts/algiz/services.nix
index 21c30f2..6e11e35 100644
--- a/hosts/algiz/services.nix
+++ b/hosts/algiz/services.nix
@@ -1,6 +1,8 @@
 {
+  config,
   pkgs,
   enabled,
+  flake,
   ...
 }:
 let
@@ -24,7 +26,7 @@ in
   };
 
   security.polkit = enabled; # attic was looking for this...
-  environment.systemPackages = with pkgs; [ attic-client ];
+  environment.systemPackages = [ (flake.pkg "lix-atttic").attic-client ];
 
   # allow docker to forward the request to the host running attic
   # https://discourse.nixos.org/t/docker-container-not-resolving-to-host/30259/6
@@ -32,8 +34,7 @@ in
   services.atticd = enabled // {
 
     # Replace with absolute path to your credentials file
-    # TODO: replace with sops-secret!
-    environmentFile = "/etc/atticd.env";
+    environmentFile = config.sops.secrets."atticd-env".path;
 
     settings = {
       listen = "[::]:${atticPort}";