diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 5baa7cc..8bcc108 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -15,8 +15,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - uses: docker/metadata-action@v5
+        id: meta
+        with:
+          images: ghcr.io/${{ github.repository }}
 
-      - uses: cachix/install-nix-action@v22
+      - uses: cachix/install-nix-action@v27
       - run: nix build .#docker
 
       - uses: docker/login-action@v3
@@ -25,16 +29,15 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Tag and Push
+      - name: Publish container images
         env:
-          GH_IMAGE: ghcr.io/${{ github.repository }}:${{ github.ref_name }}
+          IMAGES: ${{ steps.meta.outputs.tags }}
+        run: |
+          for img in $IMAGES; do
+            skopeo copy docker-archive:result "docker://$img"
+          done
+      - name: Publish Helm chart
         run: |
-          IMAGE="$(docker load -i result | awk '{print $3}')"
-          docker tag "$IMAGE" "$GH_IMAGE"
-          docker push "$GH_IMAGE"
-
-      - uses: Azure/setup-helm@v3
-      - run: |
           VERSION="${GITHUB_REF_NAME#v}"
           helm package --version "$VERSION" --app-version "$GITHUB_REF_NAME" -d pkg/ chart/
           helm push ./pkg/*.tgz "oci://ghcr.io/$GITHUB_REPOSITORY_OWNER"
diff --git a/flake.lock b/flake.lock
index 953c4a6..11a0e2a 100644
--- a/flake.lock
+++ b/flake.lock
@@ -5,30 +5,33 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1694529238,
-        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
         "type": "github"
       },
       "original": {
-        "id": "flake-utils",
-        "type": "indirect"
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
       }
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1698855203,
-        "narHash": "sha256-I9Vrh2ZXBZciGjgIXVhlHNc9XxRt0+bGlUGLGDXQ2r8=",
+        "lastModified": 1726042813,
+        "narHash": "sha256-LnNKCCxnwgF+575y0pxUdlGZBO/ru1CtGHIqQVfvjlA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "39d2f0847ebbb57beb8fe3b992b043ad39afa0af",
+        "rev": "159be5db480d1df880a0135ca0bfed84c2f88353",
         "type": "github"
       },
       "original": {
-        "id": "nixpkgs",
-        "type": "indirect"
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
       }
     },
     "root": {
diff --git a/flake.nix b/flake.nix
index 4477208..2176f18 100644
--- a/flake.nix
+++ b/flake.nix
@@ -1,8 +1,19 @@
 {
-  outputs = { self, flake-utils, nixpkgs }:
-    flake-utils.lib.eachDefaultSystem (system:
+  inputs = {
+    flake-utils.url = "github:numtide/flake-utils";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
+  };
+
+  outputs =
+    {
+      self,
+      flake-utils,
+      nixpkgs,
+    }:
+    flake-utils.lib.eachDefaultSystem (
+      system:
       let
-        lib = nixpkgs.lib;
+        inherit (nixpkgs) lib;
         pkgs = nixpkgs.legacyPackages.${system};
         pkg = self.packages.${system}.default;
       in
@@ -12,7 +23,10 @@
             name = "waiter-docs";
             src = ./.;
 
-            nativeBuildInputs = with pkgs; [ mdbook mdbook-i18n-helpers ];
+            nativeBuildInputs = with pkgs; [
+              mdbook
+              mdbook-i18n-helpers
+            ];
 
             buildPhase = ''
               mdbook build -d $out
@@ -28,6 +42,7 @@
                     rewrite * /{err.status_code}.html
                     file_server
                   }
+                  log
 
                   # much performance
                   encode zstd gzip
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index 3730637..039b48f 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -1,3 +1,4 @@
 # Summary
 
 [Waiter](waiter.md)
+[Sommelier](sommelier.md)
diff --git a/src/sommelier-ca.pem b/src/sommelier-ca.pem
new file mode 100644
index 0000000..a322be1
--- /dev/null
+++ b/src/sommelier-ca.pem
@@ -0,0 +1,11 @@
+-----BEGIN CERTIFICATE-----
+MIIBiTCCAS+gAwIBAgIQWUYhPpnmpCsGC65ZcM+jGjAKBggqhkjOPQQDAjAVMRMw
+EQYDVQQKEwprdWJlcm5ldGVzMB4XDTI0MDMwOTA5Mzg1M1oXDTM0MDMwNzA5Mzg1
+M1owFTETMBEGA1UEChMKa3ViZXJuZXRlczBZMBMGByqGSM49AgEGCCqGSM49AwEH
+A0IABAllXAFhnC06qlSsg5lcYLQsJB3C2zjfp/yaOaYbR5G/TsEcfVTwzdWVuODC
+PiNGdCd+6w0P2hIPhudtuEXjJbejYTBfMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUE
+FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
+FgQU7BCl5VyKLG0hTJnxj6wK87aG2TEwCgYIKoZIzj0EAwIDSAAwRQIgKnwYuFbE
+8c5RDT6MtETCBw/zNPX8I4lbfB1AaRrIq6MCIQD9anECeiEd9eEb9BKJxGABov60
+n/sjD+PQKsFJOs6+QQ==
+-----END CERTIFICATE-----
diff --git a/src/sommelier.md b/src/sommelier.md
new file mode 100644
index 0000000..16b2c10
--- /dev/null
+++ b/src/sommelier.md
@@ -0,0 +1,41 @@
+# Sommelier
+
+## kubeconfig
+
+### Prerequisites
+
+- Set up [waiter](waiter.md) first
+- [sommelier-ca.pem](sommelier-ca.pem)
+
+### Linux Version
+
+```bash
+# Configure the cluster
+kubectl config set-cluster snucse-sommelier \
+    --server=https://sommelier.snucse.org:6444 \
+    --embed-certs \
+    --certificate-authority=sommelier-ca.pem
+
+# Configure authentication
+kubectl config set-credentials bacchus-dex \
+    --exec-api-version=client.authentication.k8s.io/v1beta1 \
+    --exec-command=kubectl \
+    --exec-arg=oidc-login \
+    --exec-arg=get-token \
+    --exec-arg=--oidc-issuer-url=https://auth.bacchus.io/dex \
+    --exec-arg=--oidc-client-id=bacchus-waiter \
+    --exec-arg=--oidc-extra-scope=email \
+    --exec-arg=--oidc-extra-scope=groups \
+    --exec-arg=--oidc-use-pkce
+
+# Configure context
+kubectl config set-context snucse-sommelier-bacchus \
+    --cluster=snucse-sommelier \
+    --user=bacchus-dex
+
+# Switch to the context
+kubectl config use-context snucse-sommelier-bacchus
+
+# Verify configuration
+kubectl auth whoami
+```
diff --git a/src/waiter.md b/src/waiter.md
index f9ee916..d740928 100644
--- a/src/waiter.md
+++ b/src/waiter.md
@@ -4,8 +4,6 @@
 
 ### Prerequisites
 
-**Download**
-
 - [waiter-ca.pem](waiter-ca.pem)
 - [kubelogin](https://github.com/int128/kubelogin)
 
@@ -21,7 +19,7 @@ kubectl config set-cluster bacchus-waiter \
     --certificate-authority=waiter-ca.pem
 
 # Configure authentication
-kubectl config set-credentials bacchus-waiter \
+kubectl config set-credentials bacchus-dex \
     --exec-api-version=client.authentication.k8s.io/v1beta1 \
     --exec-command=kubectl \
     --exec-arg=oidc-login \
@@ -35,15 +33,14 @@ kubectl config set-credentials bacchus-waiter \
 # Configure context
 kubectl config set-context bacchus-waiter \
     --cluster=bacchus-waiter \
-    --user=bacchus-waiter
+    --user=bacchus-dex
 
 # Switch to the context
 kubectl config use-context bacchus-waiter
-```
-
-Verify with `kubectl auth whoami`.
 
-Grant access in the webpage.
+# Verify configuration
+kubectl auth whoami
+```
 
 ---
 
@@ -78,7 +75,3 @@ Change `kubelogin.exe` to `kubectl-oidc_login.exe`.
 Verify with `kubectl auth whoami`.
 
 Grant access in the webpage.
-
-## VPN
-
-TODO