I tried going all in on dendritic, but I think I'm gonna go for a lighter approach

modules/ephemeral.nix

@@ -1,84 +0,0 @@
-{ lib, config, ... }:
-
-let
-  cfg = config.ephemeral;
-in
-{
-  options.ephemeral = {
-    enable = lib.mkEnableOption "ephemeral root with automatic rollback";
-
-    rootDevice = lib.mkOption {
-      type = lib.types.str;
-      example = "/dev/mapper/cryptroot";
-      description = "Device path for the root btrfs filesystem";
-    };
-
-    rootSubvolume = lib.mkOption {
-      type = lib.types.str;
-      example = "@root";
-      description = "Name of the root btrfs subvolume";
-    };
-
-    oldRootRetentionDays = lib.mkOption {
-      type = lib.types.int;
-      default = 30;
-      description = "Number of days to keep old root snapshots before deletion";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    boot.initrd.systemd.services.recreate-root = {
-      description = "Rolling over and creating new filesystem root";
-      requires = [ "initrd-root-device.target" ];
-      after = [
-        "local-fs-pre.target"
-        "initrd-root-device.target"
-      ];
-      requiredBy = [ "initrd-root-fs.target" ];
-      before = [ "sysroot.mount" ];
-      unitConfig = {
-        AssertPathExists = "/etc/initrd-release";
-        DefaultDependencies = false;
-      };
-      serviceConfig = {
-        Type = "oneshot";
-        RemainAfterExit = true;
-      };
-      script = ''
-        set -euo pipefail
-
-        mkdir /btrfs_tmp
-        if ! mount ${cfg.rootDevice} /btrfs_tmp; then
-          echo "ERROR: Failed to mount ${cfg.rootDevice}"
-          exit 1
-        fi
-
-        if [[ -e /btrfs_tmp/${cfg.rootSubvolume} ]]; then
-          mkdir -p /btrfs_tmp/old_roots
-          timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/${cfg.rootSubvolume})" "+%Y-%m-%-d_%H:%M:%S")
-          mv /btrfs_tmp/${cfg.rootSubvolume} "/btrfs_tmp/old_roots/$timestamp"
-        fi
-
-        delete_subvolume_recursively() {
-          IFS=$'\n'
-          for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
-             delete_subvolume_recursively "/btrfs_tmp/$i"
-          done
-          btrfs subvolume delete "$1"
-        }
-
-        for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +${toString cfg.oldRootRetentionDays}); do
-          delete_subvolume_recursively "$i"
-        done
-
-        if ! btrfs subvolume create /btrfs_tmp/${cfg.rootSubvolume}; then
-          echo "ERROR: Failed to create subvolume ${cfg.rootSubvolume}"
-          umount /btrfs_tmp
-          exit 1
-        fi
-
-        umount /btrfs_tmp
-      '';
-    };
-  };
-}

modules/nix/agenix.nix

@@ -0,0 +1,37 @@
+{
+  self,
+  inputs,
+  ...
+}:
+{
+  flake-file.inputs = {
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.home-manager.follows = "home-manager";
+    };
+    secrets = {
+      url = "path:./secrets";
+      flake = false;
+    };
+  };
+
+  flake.modules = {
+    nixos.secrets =
+      { pkgs, ... }:
+      {
+        imports = [
+          inputs.agenix.nixosModules.default
+        ];
+        environment.systemPackages = [ inputs.agenix.packages.${pkgs.stdenv.hostPlatform.system}.default ];
+      };
+
+    # homeManager.secrets =
+    #   { pkgs, ... }:
+    #   {
+    #     imports = [
+    #       inputs.agenix.homeManagerModules.default
+    #     ];
+    #   };
+  };
+}

modules/nix/dendritic-tools.nix

@@ -0,0 +1,25 @@
+{
+  inputs,
+  ...
+}:
+{
+  flake-file.inputs = {
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    flake-file.url = "github:vic/flake-file";
+    import-tree.url = "github:vic/import-tree";
+  };
+
+  imports = [
+    inputs.flake-parts.flakeModules.modules
+    inputs.flake-file.flakeModules.default
+  ];
+
+  flake-file.outputs = ''
+    inputs: inputs.flake-parts.lib.mkFlake { inherit inputs; } (inputs.import-tree ./modules)
+  '';
+
+  systems = [
+    "aarch64-linux"
+    "x86_64-linux"
+  ];
+}

modules/nix/factory.nix

@@ -0,0 +1,12 @@
+{
+  lib,
+  ...
+}:
+{
+  # factory: storage for factory aspect functions
+
+  options.flake.factory = lib.mkOption {
+    type = lib.types.attrsOf lib.types.unspecified;
+    default = { };
+  };
+}

modules/nix/home-manager.nix

@@ -0,0 +1,36 @@
+{
+  inputs,
+  config,
+  ...
+}:
+
+let
+  home-manager-config =
+    { lib, ... }:
+    {
+      home-manager = {
+        verbose = false;
+        useUserPackages = true;
+        useGlobalPkgs = true;
+        backupFileExtension = "backup";
+        backupCommand = "rm";
+        overwriteBackup = true;
+      };
+    };
+in
+
+{
+  flake-file.inputs = {
+    home-manager = {
+      url = "github:nix-community/home-manager/master";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  flake.modules.nixos.home-manager = {
+    imports = [
+      inputs.home-manager.nixosModules.home-manager
+      home-manager-config
+    ];
+  };
+}

modules/nix/impermanence.nix

@@ -0,0 +1,54 @@
+{ inputs, ... }:
+
+{
+  flake-file.inputs = {
+    impermanence.url = "github:nix-community/impermanence";
+  };
+
+  # convenience function to set persistence settings only, if impermanence module was imported
+  flake.lib = {
+    mkIfPersistence =
+      config: settings:
+      if config ? home then
+        (if config.home ? persistence then settings else { })
+      else
+        (if config.environment ? persistence then settings else { });
+  };
+
+  flake.modules.nixos.impermanence =
+    { config, ... }:
+    {
+      imports = [
+        inputs.impermanence.nixosModules.impermanence
+      ];
+
+      environment.persistence."/persistent" = {
+        hideMounts = true;
+        directories = [
+          "/var/log"
+          "/var/lib/nixos"
+          "/var/lib/systemd/coredump"
+          "/etc/NetworkManager/system-connections"
+        ];
+        files = [
+          "/etc/machine-id"
+          "/etc/ssh/ssh_host_ed25519_key"
+          "/etc/ssh/ssh_host_ed25519_key.pub"
+          "/etc/ssh/ssh_host_rsa_key"
+          "/etc/ssh/ssh_host_rsa_key.pub"
+        ];
+      };
+
+      # home-manager.sharedModules = [
+      #   {
+      #     home.persistence."/persistent" = {
+      #     };
+      #   }
+      # ];
+
+      fileSystems."/persistent".neededForBoot = true;
+
+      programs.fuse.userAllowOther = true;
+    };
+
+}

modules/nix/lib.nix

@@ -0,0 +1,34 @@
+{
+  inputs,
+  lib,
+  ...
+}:
+{
+  # Helper functions for creating system & home-manager configurations
+
+  options.flake.lib = lib.mkOption {
+    type = lib.types.attrsOf lib.types.unspecified;
+    default = { };
+  };
+
+  config.flake.lib = {
+    mkNixos = system: name: {
+      ${name} = inputs.nixpkgs.lib.nixosSystem {
+        modules = [
+          inputs.self.modules.nixos.${name}
+          { nixpkgs.hostPlatform = lib.mkDefault system; }
+        ];
+      };
+    };
+
+    mkHomeManager = system: name: {
+      ${name} = inputs.home-manager.lib.homeManagerConfiguration {
+        pkgs = inputs.nixpkgs.legacyPackages.${system};
+        modules = [
+          inputs.self.modules.homeManager.${name}
+          { nixpkgs.config.allowUnfree = true; }
+        ];
+      };
+    };
+  };
+}

modules/nix/pkgs-by-name.nix

@@ -0,0 +1,42 @@
+{
+  inputs,
+  withSystem,
+  ...
+}:
+{
+  flake-file.inputs = {
+    pkgs-by-name-for-flake-parts.url = "github:drupol/pkgs-by-name-for-flake-parts";
+    packages = {
+      url = "path:./packages";
+      flake = false;
+    };
+  };
+
+  imports = [
+    inputs.pkgs-by-name-for-flake-parts.flakeModule
+  ];
+
+  perSystem =
+    { system, ... }:
+    {
+      pkgsDirectory = inputs.packages;
+    };
+
+  flake = {
+    overlays.default = _final: prev: {
+      local = withSystem prev.stdenv.hostPlatform.system ({ config, ... }: config.packages);
+    };
+
+    modules.generic.pkgs-by-name =
+      { pkgs, ... }:
+      {
+        nixpkgs.overlays = [
+          inputs.self.overlays.default
+        ];
+        nixpkgs-stable.overlays = [
+          inputs.self.overlays.default
+        ];
+      };
+  };
+
+}