opencode from nix-ai-tools

Flake lock file updates:

• Updated input 'nix-ai-tools':
    'github:numtide/llm-agents.nix/266d4d8a55eef6dd23cd0adced301053d8fc23c9?narHash=sha256-HQXK2CXAhBuTBw99Ip018Vp9MMAPfJVywgRrkwMUgMc%3D' (2026-02-12)
  → 'github:numtide/llm-agents.nix/db94a329058a1a37b49d3209af85708b3338559a?narHash=sha256-q5Wsb1573qDfIPJctG9CBZP0NMniejoB7SmBLZIVAHg%3D' (2026-02-23)
• Updated input 'nix-ai-tools/blueprint':
    'github:numtide/blueprint/c7da5c70ad1c9b60b6f5d4f674fbe205d48d8f6c?narHash=sha256-zI%2B7cbMI4wMIR57jMjDSEsVb3grapTnURDxxJPYFIW0%3D' (2026-01-25)
  → 'github:numtide/blueprint/06ee7190dc2620ea98af9eb225aa9627b68b0e33?narHash=sha256-bLqwib%2BrtyBRRVBWhMuBXPCL/OThfokA%2Bj6%2BuH7jDGU%3D' (2026-02-18)
• Updated input 'nix-ai-tools/nixpkgs':
    'github:NixOS/nixpkgs/2343bbb58f99267223bc2aac4fc9ea301a155a16?narHash=sha256-LovWTGDwXhkfCOmbgLVA10bvsi/P8eDDpRudgk68HA8%3D' (2026-02-11)
  → 'github:NixOS/nixpkgs/d1c15b7d5806069da59e819999d70e1cec0760bf?narHash=sha256-b9uG8yN50DRQ6A7JdZBfzq718ryYrlmGgqkRm9OOwCE%3D' (2026-02-16)

.gitignore

@@ -1,3 +1,13 @@
-result/
+# Nix build outputs
+result
+result-*
 .direnv/
-.pre-commit-config.yaml
+oci-trantor/
+tailscale-tailnet/
+cloudflare-baduhaidev
+
+# Personal notes and temporary files
+todo.md
+notes.md
+scratch/
+tmp/

aspects/ai.nix

@@ -0,0 +1,19 @@
+{ ... }:
+{
+  flake.modules.nixos.ai =
+    { inputs, pkgs, ... }:
+    {
+      environment.systemPackages =
+        (with pkgs; [ ])
+        ++ (with inputs.nix-ai-tools.packages.${pkgs.stdenv.hostPlatform.system}; [
+          opencode
+        ]);
+
+      nix.settings = {
+        extra-substituters = [ "https://cache.numtide.com" ];
+        extra-trusted-public-keys = [
+          "niks3.numtide.com-1:DTx8wZduET09hRmMtKdQDxNNthLQETkc/yaX7M4qK0g="
+        ];
+      };
+    };
+}

aspects/base/bash.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  flake.modules.homeManager.bash =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      programs.bash = {
+        enable = true;
+        historyFile = "~/.cache/bash_history";
+      };
+    };
+}

aspects/base/boot.nix

@@ -0,0 +1,23 @@
+{ ... }:
+{
+  flake.modules.nixos.boot =
+    { pkgs, ... }:
+    {
+      boot = {
+        loader = {
+          timeout = 1;
+          efi.canTouchEfiVariables = true;
+          systemd-boot = {
+            enable = true;
+            editor = false;
+            consoleMode = "max";
+            sortKey = "aa";
+            netbootxyz = {
+              enable = true;
+              sortKey = "zz";
+            };
+          };
+        };
+      };
+    };
+}

aspects/base/console.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  flake.modules.nixos.console =
+    { ... }:
+    {
+      console = {
+        useXkbConfig = true;
+        earlySetup = true;
+      };
+    };
+}

aspects/base/firewall.nix

@@ -0,0 +1,11 @@
+{ ... }:
+{
+  flake.modules.nixos.firewall =
+    { ... }:
+    {
+      networking = {
+        firewall.enable = true;
+        nftables.enable = true;
+      };
+    };
+}

aspects/base/fish.nix

@@ -0,0 +1,47 @@
+{ ... }:
+{
+  flake.modules = {
+    nixos.fish =
+      { ... }:
+      {
+        programs.fish.enable = true;
+      };
+    homeManager.fish =
+      {
+        config,
+        lib,
+        pkgs,
+        ...
+      }:
+      {
+        programs.fish = {
+          enable = true;
+          interactiveShellInit = ''
+            set fish_greeting
+            ${lib.getExe pkgs.nix-your-shell} fish | source
+          '';
+          loginShellInit = "${lib.getExe pkgs.nix-your-shell} fish | source";
+          plugins = [
+            {
+              name = "bang-bang";
+              src = pkgs.fetchFromGitHub {
+                owner = "oh-my-fish";
+                repo = "plugin-bang-bang";
+                rev = "f969c618301163273d0a03d002614d9a81952c1e";
+                sha256 = "sha256-A8ydBX4LORk+nutjHurqNNWFmW6LIiBPQcxS3x4nbeQ=";
+              };
+            }
+            {
+              name = "z";
+              src = pkgs.fetchFromGitHub {
+                owner = "jethrokuan";
+                repo = "z";
+                rev = "067e867debee59aee231e789fc4631f80fa5788e";
+                sha256 = "sha256-emmjTsqt8bdI5qpx1bAzhVACkg0MNB/uffaRjjeuFxU=";
+              };
+            }
+          ];
+        };
+      };
+  };
+}

aspects/base/locale.nix

@@ -1,8 +1,7 @@
-{ hostType, lib, ... }:
+{ ... }:
-
 {
-  config = lib.mkMerge [
+  flake.modules.nixos.locale =
-    # Common configuration
+    { ... }:
     {
       time.timeZone = "America/Bahia";
 
@@ -10,6 +9,7 @@
         defaultLocale = "en_US.UTF-8";
         extraLocaleSettings = {
           LC_ADDRESS = "pt_BR.utf8";
+          LC_COLLATE = "pt_BR.utf8";
           LC_IDENTIFICATION = "pt_BR.utf8";
           LC_MEASUREMENT = "pt_BR.utf8";
           LC_MONETARY = "pt_BR.utf8";
@@ -20,14 +20,5 @@
           LC_TIME = "en_IE.utf8";
         };
       };
-    }
+    };
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-    })
-  ];
 }

aspects/base/nix.nix

@@ -0,0 +1,51 @@
+{ ... }:
+{
+  flake.modules.nixos.nix =
+    { inputs, pkgs, ... }:
+    {
+      imports = [ inputs.nixos-cli.nixosModules.nixos-cli ];
+
+      nix = {
+        settings = {
+          auto-optimise-store = true;
+          connect-timeout = 10;
+          log-lines = 25;
+          min-free = 128000000;
+          max-free = 1000000000;
+          trusted-users = [ "@wheel" ];
+        };
+        extraOptions = "experimental-features = nix-command flakes";
+        gc = {
+          automatic = true;
+          options = "--delete-older-than 8d";
+        };
+      };
+
+      nixpkgs.config = {
+        allowUnfree = true;
+        enableParallelBuilding = true;
+        buildManPages = false;
+        buildDocs = false;
+      };
+
+      services.nixos-cli = {
+        enable = true;
+        config = {
+          use_nvd = true;
+          ignore_dirty_tree = true;
+          apply = {
+            reexec_as_root = true;
+            use_nom = true;
+          };
+          confirmation.empty = "default-yes";
+        };
+      };
+
+      environment.systemPackages = with pkgs; [
+        nix-output-monitor
+        nvd
+      ];
+
+      system.stateVersion = "22.11";
+    };
+}

aspects/base/security.nix

@@ -0,0 +1,13 @@
+{ ... }:
+{
+  flake.modules.nixos.security =
+    { ... }:
+    {
+      security.sudo = {
+        wheelNeedsPassword = false;
+        extraConfig = ''
+          Defaults lecture = never
+        '';
+      };
+    };
+}

aspects/base/ssh.nix

@@ -0,0 +1,32 @@
+{ ... }:
+
+{
+  flake.modules.nixos.ssh =
+    { ... }:
+    {
+      services.openssh = {
+        enable = true;
+        settings.PermitRootLogin = "no";
+        extraConfig = ''
+          PrintLastLog no
+        '';
+      };
+      programs = {
+        bash.interactiveShellInit = ''
+          if [ -n "$SSH_CONNECTION" ] && [ -z "$IN_NIX_SHELL" ] && [ -z "$TMUX" ]; then
+            export TERM=xterm-256color
+            clear
+            fastfetch
+          fi
+        '';
+        fish.interactiveShellInit = ''
+          set fish_greeting
+          if set -q SSH_CONNECTION; and not set -q IN_NIX_SHELL; and not set -q TMUX
+            export TERM=xterm-256color
+            clear
+            fastfetch
+          end
+        '';
+      };
+    };
+}

aspects/bluetooth.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  flake.modules.nixos.bluetooth =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      hardware.bluetooth = {
+        enable = true;
+        powerOnBoot = false;
+      };
+    };
+}

aspects/cli/btop.nix

@@ -0,0 +1,28 @@
+{ ... }:
+{
+  flake.modules = {
+    nixos.btop =
+      { pkgs, ... }:
+      {
+        environment.systemPackages = with pkgs; [ btop ];
+      };
+
+    homeManager.btop =
+      {
+        config,
+        lib,
+        pkgs,
+        ...
+      }:
+      {
+        programs.btop = {
+          enable = true;
+          settings = {
+            theme_background = false;
+            proc_sorting = "cpu direct";
+            update_ms = 500;
+          };
+        };
+      };
+  };
+}

aspects/cli/comma.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  flake.modules.homeManager.comma =
+    {
+      config,
+      lib,
+      pkgs,
+      inputs,
+      ...
+    }:
+    {
+      imports = [ inputs.nix-index-database.homeModules.nix-index ];
+
+      programs.nix-index-database.comma.enable = true;
+    };
+}

aspects/cli/direnv.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  flake.modules.homeManager.direnv =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      programs.direnv = {
+        enable = true;
+        nix-direnv.enable = true;
+      };
+    };
+}

aspects/cli/helix.nix

@@ -0,0 +1,67 @@
+{ ... }:
+{
+  flake.modules = {
+    nixos.helix =
+      { pkgs, ... }:
+      {
+        environment.systemPackages = with pkgs; [
+          helix
+        ];
+      };
+
+    homeManager.helix =
+      {
+        config,
+        lib,
+        pkgs,
+        ...
+      }:
+      {
+        home.sessionVariables = {
+          EDITOR = "hx";
+        };
+
+        programs.helix = {
+          enable = true;
+          settings = {
+            editor = {
+              file-picker.hidden = false;
+              idle-timeout = 0;
+              line-number = "relative";
+              cursor-shape = {
+                normal = "underline";
+                insert = "bar";
+                select = "underline";
+              };
+              soft-wrap.enable = true;
+              auto-format = true;
+              indent-guides.render = true;
+            };
+            keys.normal = {
+              space = {
+                o = "file_picker_in_current_buffer_directory";
+                esc = [
+                  "collapse_selection"
+                  "keep_primary_selection"
+                ];
+              };
+            };
+          };
+          languages = {
+            language = [
+              {
+                name = "nix";
+                auto-format = true;
+                formatter.command = "nixfmt";
+              }
+              {
+                name = "typst";
+                auto-format = true;
+                formatter.command = "typstyle -c 1000 -i";
+              }
+            ];
+          };
+        };
+      };
+  };
+}

aspects/cli/hm-cli.nix

@@ -0,0 +1,18 @@
+{ ... }:
+{
+  flake.modules.homeManager.hm-cli =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      home = {
+        packages = with pkgs; [ hm-cli ];
+        sessionVariables = {
+          HM_PATH = "/etc/nixos";
+        };
+      };
+    };
+}

aspects/cli/starship.nix

@@ -0,0 +1,48 @@
+{ ... }:
+{
+  flake.modules.homeManager.starship =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      programs.starship = {
+        enable = true;
+        enableBashIntegration = true;
+        enableFishIntegration = true;
+        settings = {
+          add_newline = false;
+          format = ''
+            $hostname$directory$git_branch$git_status$nix_shell
+            [ ❯ ](bold green)
+          '';
+          right_format = "$cmd_duration$character";
+          hostname = {
+            ssh_symbol = "󰖟 ";
+          };
+          character = {
+            error_symbol = "[](red)";
+            success_symbol = "[󱐋](green)";
+          };
+          cmd_duration = {
+            format = "[󰄉 $duration ]($style)";
+            style = "yellow";
+            min_time = 500;
+          };
+          git_branch = {
+            symbol = " ";
+            style = "purple";
+          };
+          git_status.style = "red";
+          nix_shell = {
+            format = "via [$symbol$state]($style)";
+            heuristic = true;
+            style = "blue";
+            symbol = "󱄅 ";
+          };
+        };
+      };
+    };
+}

aspects/cli/tmux.nix

@@ -0,0 +1,29 @@
+{ ... }:
+{
+  flake.modules = {
+    nixos.tmux =
+      { pkgs, ... }:
+      {
+        environment.systemPackages = with pkgs; [
+          tmux
+        ];
+      };
+
+    homeManager.tmux =
+      {
+        config,
+        lib,
+        pkgs,
+        ...
+      }:
+      {
+        programs.tmux = {
+          enable = true;
+          clock24 = true;
+          terminal = "xterm-256color";
+          mouse = true;
+          keyMode = "vi";
+        };
+      };
+  };
+}

aspects/constants.nix

@@ -0,0 +1,217 @@
+{
+  inputs,
+  lib,
+  config,
+  ...
+}:
+
+let
+  # Host submodule type
+  hostType = lib.types.submodule {
+    options = {
+      lanIP = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+        description = "LAN IP address for the host";
+      };
+      tailscaleIP = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+        description = "Tailscale IP address for the host";
+      };
+    };
+  };
+
+  # Service submodule type
+  serviceType = lib.types.submodule {
+    options = {
+      name = lib.mkOption {
+        type = lib.types.str;
+        description = "Service name";
+      };
+      domain = lib.mkOption {
+        type = lib.types.str;
+        description = "Domain name for the service";
+      };
+      host = lib.mkOption {
+        type = lib.types.str;
+        description = "Host where the service runs";
+      };
+      public = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Whether the service is publicly accessible";
+      };
+      lanIP = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+        description = "LAN IP address (inherited from host)";
+      };
+      tailscaleIP = lib.mkOption {
+        type = lib.types.nullOr lib.types.str;
+        default = null;
+        description = "Tailscale IP address (inherited from host)";
+      };
+    };
+  };
+
+  # Import shared data (also used by terranix)
+  sharedData = import ../data/services.nix;
+
+  # Enrich services with host IP information
+  enrichServices =
+    hosts: services:
+    map (
+      svc:
+      let
+        hostInfo = hosts.${svc.host} or { };
+      in
+      svc
+      // {
+        lanIP = hostInfo.lanIP or null;
+        tailscaleIP = hostInfo.tailscaleIP or null;
+      }
+    ) services;
+
+in
+{
+  options.flake = {
+    hosts = lib.mkOption {
+      type = lib.types.attrsOf hostType;
+      default = { };
+      description = "Host definitions with IP addresses";
+    };
+
+    services = lib.mkOption {
+      type = lib.types.listOf serviceType;
+      default = [ ];
+      description = "Service definitions with enriched host information";
+    };
+
+    lib = lib.mkOption {
+      type = lib.types.attrsOf lib.types.raw;
+      default = { };
+      description = "Utility functions for flake configuration";
+    };
+  };
+
+  config.flake = {
+    hosts = sharedData.hosts;
+
+    services = enrichServices config.flake.hosts sharedData.services;
+
+    lib = {
+      # Nginx virtual host utilities
+      mkNginxVHosts =
+        { domains }:
+        let
+          mkVHostConfig =
+            domain: vhostConfig:
+            lib.recursiveUpdate {
+              useACMEHost = domain;
+              forceSSL = true;
+              kTLS = true;
+            } vhostConfig;
+        in
+        lib.mapAttrs mkVHostConfig domains;
+
+      # Split DNS utilities for unbound
+      # Generates unbound view config from a list of DNS entries
+      mkSplitDNS =
+        entries:
+        let
+          tailscaleData = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') entries;
+          lanData = map (e: ''"${e.domain}. IN A ${e.lanIP}"'') entries;
+        in
+        [
+          {
+            name = "tailscale";
+            view-first = true;
+            local-zone = ''"baduhai.dev." transparent'';
+            local-data = tailscaleData;
+          }
+          {
+            name = "lan";
+            view-first = true;
+            local-zone = ''"baduhai.dev." transparent'';
+            local-data = lanData;
+          }
+        ];
+      # Generates flake.homeConfigurations
+      mkHomeConfiguration =
+        {
+          user,
+          hostname,
+          system ? "x86_64-linux",
+          stateVersion ? "22.05",
+          nixpkgs ? inputs.nixpkgs, # override with e.g. inputs.nixpkgs-stable
+          userModules ? [ ],
+          overlays ? [ inputs.self.overlays.default ],
+          homeManagerModules ? with inputs.self.modules.homeManager; [
+            base
+            cli
+          ],
+          userDirectory ? "/home/${user}",
+        }:
+        inputs.home-manager.lib.homeManagerConfiguration {
+          pkgs = nixpkgs.legacyPackages.${system};
+
+          extraSpecialArgs = {
+            inherit inputs hostname;
+          };
+
+          modules = [
+            { nixpkgs.overlays = overlays; }
+            {
+              home = {
+                username = user;
+                homeDirectory = userDirectory;
+                inherit stateVersion;
+              };
+            }
+            ((inputs.import-tree.initFilter (p: lib.hasSuffix ".nix" p))
+              "/${inputs.self}/aspects/users/_${user}"
+            )
+          ]
+          ++ homeManagerModules
+          ++ userModules;
+        };
+      # Generates flake.nixosConfigurations
+      mkHost =
+        {
+          hostname,
+          system ? "x86_64-linux",
+          nixpkgs ? inputs.nixpkgs,
+          overlays ? [
+            inputs.agenix.overlays.default
+            inputs.self.overlays.default
+          ],
+          ephemeralRootDev ? null, # pass rootDevice string to enable, e.g. ephemeralephemeralRootDev = "/dev/mapper/cryptroot"
+          nixosModules ? with inputs.self.modules.nixos; [
+            base
+            cli
+            user
+            root
+          ],
+          extraModules ? [ ],
+        }:
+        nixpkgs.lib.nixosSystem {
+          inherit system;
+          specialArgs = { inherit inputs; };
+          modules = [
+            inputs.agenix.nixosModules.default
+            { networking.hostName = hostname; }
+            { nixpkgs.overlays = overlays; }
+            ((inputs.import-tree.initFilter (p: lib.hasSuffix ".nix" p))
+              "${inputs.self}/aspects/hosts/_${hostname}"
+            )
+          ]
+          ++ (lib.optional (ephemeralRootDev != null) (
+            inputs.self.factory.ephemeral { rootDevice = ephemeralRootDev; }
+          ))
+          ++ nixosModules
+          ++ extraModules;
+        };
+    };
+  };
+}

aspects/desktop/graphics.nix

@@ -0,0 +1,25 @@
+{ ... }:
+
+{
+  flake.modules.nixos.graphics =
+    { pkgs, ... }:
+    {
+      environment.systemPackages = with pkgs; [
+        gimp
+        inkscape
+        plasticity
+      ];
+
+      services.flatpak.packages = [
+        "com.boxy_svg.BoxySVG"
+        rec {
+          appId = "io.github.softfever.OrcaSlicer";
+          sha256 = "0hdx5sg6fknj1pfnfxvlfwb5h6y1vjr6fyajbsnjph5gkp97c6p1";
+          bundle = "${pkgs.fetchurl {
+            url = "https://github.com/SoftFever/OrcaSlicer/releases/download/v2.3.0/OrcaSlicer-Linux-flatpak_V2.3.0_x86_64.flatpak";
+            inherit sha256;
+          }}";
+        }
+      ];
+    };
+}

aspects/desktop/media.nix

@@ -0,0 +1,29 @@
+{ ... }:
+
+{
+  flake.modules = {
+    nixos.media =
+      { pkgs, ... }:
+      {
+        environment.systemPackages = with pkgs; [
+          decibels
+          loupe
+          obs-studio
+          showtime
+        ];
+      };
+
+    homeManager.media =
+      { pkgs, ... }:
+      {
+        programs.obs-studio = {
+          enable = true;
+          plugins = with pkgs.obs-studio-plugins; [
+            obs-vkcapture
+            obs-backgroundremoval
+            obs-pipewire-audio-capture
+          ];
+        };
+      };
+  };
+}

aspects/desktop/niri.nix

@@ -0,0 +1,246 @@
+{ ... }:
+{
+  flake.modules = {
+    nixos.niri =
+      {
+        config,
+        lib,
+        pkgs,
+        ...
+      }:
+      {
+        services.greetd.settings = {
+          default_session.command = "${lib.getExe pkgs.tuigreet} --user-menu --time --remember --asterisks --cmd ${config.programs.niri.package}/bin/niri-session";
+        };
+
+        programs.niri.enable = true;
+      };
+    homeManager.niri =
+      {
+        config,
+        lib,
+        pkgs,
+        inputs,
+        hostname ? null,
+        ...
+      }:
+      let
+        isRotterdam = hostname == "rotterdam";
+      in
+      {
+        imports = [ inputs.noctalia.homeModules.default ];
+
+        services.kanshi = {
+          enable = true;
+          settings = [
+            {
+              profile.name = "default";
+              profile.outputs = [
+                {
+                  criteria = "*";
+                  scale = 1.0;
+                }
+              ];
+            }
+          ];
+        };
+
+        home = {
+          packages = with pkgs; [
+            xwayland-satellite
+            inputs.noctalia.packages.${pkgs.stdenv.hostPlatform.system}.default
+          ];
+          sessionVariables.QT_QPA_PLATFORMTHEME = "gtk3";
+        };
+
+        xdg.configFile."niri/config.kdl".text = ''
+          input {
+            keyboard {
+              xkb {
+                layout "us"
+                variant "altgr-intl"
+              }
+            }
+            touchpad {
+              tap
+              dwt
+              drag true
+              drag-lock
+              natural-scroll
+              accel-speed 0.2
+              accel-profile "flat"
+              scroll-method "two-finger"
+              middle-emulation
+            }
+            mouse {
+              natural-scroll
+              accel-speed 0.2
+              accel-profile "flat"
+            }
+            warp-mouse-to-focus mode="center-xy"
+            focus-follows-mouse
+          }
+
+          output "LG Electronics LG ULTRAWIDE 206AZFM5E459" {
+            layout {
+              preset-column-widths {
+                proportion 0.33333
+                proportion 0.5
+                proportion 0.66667
+              }
+              default-column-width { proportion 0.33333; }
+            }
+          }
+
+          layout {
+            gaps 8
+            center-focused-column "never"
+            always-center-single-column
+            empty-workspace-above-first
+            preset-column-widths {
+              proportion 0.5
+              proportion 1.0
+            }
+            default-column-width { proportion 0.5; }
+            focus-ring {
+              off
+            }
+            border {
+              width 4
+              active-color "#ffc87f"
+              inactive-color "#505050"
+              urgent-color "#9b0000"
+            }
+            tab-indicator {
+              width 4
+              gap 4
+              place-within-column
+            }
+          }
+
+          overview {
+            zoom 0.65
+          }
+
+          spawn-at-startup "noctalia-shell" "-d"
+          spawn-at-startup "${lib.getExe pkgs.niri-auto-centre}"
+          layer-rule {
+            match namespace="^noctalia-overview*"
+            place-within-backdrop true
+          }
+
+          hotkey-overlay {
+            skip-at-startup
+          }
+
+          prefer-no-csd
+          screenshot-path "~/Pictures/Screenshots/Screenshot from %Y-%m-%d %H-%M-%S.png"
+
+          animations {
+            slowdown 0.3
+          }
+
+          window-rule {
+            match app-id="zen"
+            default-column-width { proportion ${if isRotterdam then "0.5" else "1.0"}; }
+          }
+
+          window-rule {
+            geometry-corner-radius 12
+            clip-to-geometry true
+          }
+
+          config-notification {
+            disable-failed
+          }
+
+          binds {
+            Alt+Space repeat=false { spawn "vicinae" "toggle"; }
+            XF86AudioRaiseVolume allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "increase"; }
+            XF86AudioLowerVolume allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "decrease"; }
+            XF86AudioMute allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "volume" "muteOutput"; }
+            XF86MonBrightnessUp allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "brightness" "increase"; }
+            XF86MonBrightnessDown allow-when-locked=true { spawn "noctalia-shell" "ipc" "call" "brightness" "decrease"; }
+            XF86AudioPlay        allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "play-pause"; }
+            XF86AudioStop        allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "stop"; }
+            XF86AudioPrev        allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "previous"; }
+            XF86AudioNext        allow-when-locked=true { spawn "${lib.getExe pkgs.playerctl}" "next"; }
+            Mod+V repeat=false { spawn "vicinae" "vicinae://extensions/vicinae/clipboard/history"; }
+            Mod+Shift+L repeat=false { spawn "noctalia-shell" "ipc" "call" "lockScreen" "lock"; }
+            Mod+Return { spawn "ghostty"; }
+            Ctrl+Alt+Shift+A allow-when-locked=true { spawn "toggleaudiosink"; }
+            Mod+W repeat=false { toggle-overview; }
+            Mod+Q { close-window; }
+            Alt+Shift+Q { close-window;}
+            Mod+Shift+Q { close-window; }
+            Alt+F4 { close-window; }
+            Mod+Left  { focus-column-left; }
+            Mod+Down  { focus-window-or-workspace-down; }
+            Mod+Up    { focus-window-or-workspace-up; }
+            Mod+Right { focus-column-right; }
+            Mod+H     { focus-column-left; }
+            Mod+L     { focus-column-right; }
+            Mod+J     { focus-window-or-workspace-down; }
+            Mod+K     { focus-window-or-workspace-up; }
+            Mod+Ctrl+Left  { move-column-left; }
+            Mod+Ctrl+Down  { move-window-down-or-to-workspace-down; }
+            Mod+Ctrl+Up    { move-window-up-or-to-workspace-up; }
+            Mod+Ctrl+Right { move-column-right; }
+            Mod+Ctrl+H     { move-column-left; }
+            Mod+Ctrl+J     { move-window-down-or-to-workspace-down; }
+            Mod+Ctrl+K     { move-window-up-or-to-workspace-up; }
+            Mod+Ctrl+L     { move-column-right; }
+            Mod+Home { focus-column-first; }
+            Mod+End  { focus-column-last; }
+            Mod+Ctrl+Home { move-column-to-first; }
+            Mod+Ctrl+End  { move-column-to-last; }
+            Mod+Alt+Left  { focus-monitor-left; }
+            Mod+Alt+Down  { focus-monitor-down; }
+            Mod+Alt+Up    { focus-monitor-up; }
+            Mod+Alt+Right { focus-monitor-right; }
+            Mod+Alt+H     { focus-monitor-left; }
+            Mod+Alt+J     { focus-monitor-down; }
+            Mod+Alt+K     { focus-monitor-up; }
+            Mod+Alt+L     { focus-monitor-right; }
+            Mod+Alt+Ctrl+Left  { move-column-to-monitor-left; }
+            Mod+Alt+Ctrl+Down  { move-column-to-monitor-down; }
+            Mod+Alt+Ctrl+Up    { move-column-to-monitor-up; }
+            Mod+Alt+Ctrl+Right { move-column-to-monitor-right; }
+            Mod+Alt+Ctrl+H     { move-column-to-monitor-left; }
+            Mod+Alt+Ctrl+J     { move-column-to-monitor-down; }
+            Mod+Alt+Ctrl+K     { move-column-to-monitor-up; }
+            Mod+Alt+Ctrl+L     { move-column-to-monitor-right; }
+            Mod+Ctrl+U         { move-workspace-down; }
+            Mod+Ctrl+I         { move-workspace-up; }
+            Mod+WheelScrollDown      cooldown-ms=150 { focus-workspace-down; }
+            Mod+WheelScrollUp        cooldown-ms=150 { focus-workspace-up; }
+            Mod+Ctrl+WheelScrollDown cooldown-ms=150 { move-column-to-workspace-down; }
+            Mod+Ctrl+WheelScrollUp   cooldown-ms=150 { move-column-to-workspace-up; }
+            Mod+Shift+WheelScrollDown      { focus-column-right; }
+            Mod+Shift+WheelScrollUp        { focus-column-left; }
+            Mod+Ctrl+Shift+WheelScrollDown { move-column-right; }
+            Mod+Ctrl+Shift+WheelScrollUp   { move-column-left; }
+            Mod+BracketLeft  { consume-or-expel-window-left; }
+            Mod+BracketRight { consume-or-expel-window-right; }
+            Mod+Comma  { consume-window-into-column; }
+            Mod+Period { expel-window-from-column; }
+            Mod+R { switch-preset-column-width; }
+            Mod+F { maximize-column; }
+            Mod+Ctrl+F { fullscreen-window; }
+            Mod+C { center-visible-columns; }
+            Mod+Ctrl+C { center-column; }
+            Mod+Space       { toggle-window-floating; }
+            Mod+Ctrl+Space  { switch-focus-between-floating-and-tiling; }
+            Mod+T { toggle-column-tabbed-display; }
+            Print { screenshot-screen; }
+            Mod+Print { screenshot; }
+            Ctrl+Print { screenshot-window; }
+            Mod+Backspace allow-inhibiting=false { toggle-keyboard-shortcuts-inhibit; }
+            Mod+Alt+E { spawn "noctalia-shell" "ipc" "call" "sessionMenu" "toggle"; }
+            Ctrl+Alt+Delete { spawn "noctalia-shell" "ipc" "call" "sessionMenu" "toggle"; }
+            Mod+Ctrl+P { power-off-monitors; }
+          }
+        '';
+      };
+  };
+}

aspects/desktop/office.nix

@@ -0,0 +1,23 @@
+{ ... }:
+
+{
+  flake.modules.nixos.office =
+    { pkgs, ... }:
+    {
+      environment.systemPackages = with pkgs; [
+        aspell
+        aspellDicts.de
+        aspellDicts.en
+        aspellDicts.en-computers
+        aspellDicts.pt_BR
+        glow
+        papers
+        presenterm
+        rnote
+      ];
+
+      services.flatpak.packages = [
+        "com.collabora.Office"
+      ];
+    };
+}

aspects/desktop/web.nix

@@ -0,0 +1,22 @@
+{ ... }:
+
+{
+  flake.modules.nixos.web =
+    {
+      inputs,
+      pkgs,
+      ...
+    }:
+    {
+      environment.systemPackages = with pkgs; [
+        inputs.zen-browser.packages."${pkgs.stdenv.hostPlatform.system}".default
+        beeper
+        bitwarden-desktop
+        fragments
+        nextcloud-client
+        tor-browser
+        ungoogled-chromium
+        vesktop
+      ];
+    };
+}

aspects/dev.nix

@@ -0,0 +1,23 @@
+{ ... }:
+{
+  flake.modules.nixos.dev =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      environment.systemPackages = with pkgs; [
+        android-tools
+        lazygit
+        fd
+        fzf
+        nixfmt
+        nix-init
+        ripgrep
+      ];
+
+      users.users.user.extraGroups = [ "adbusers" ];
+    };
+}

aspects/ephemeral.nix

@@ -0,0 +1,139 @@
+# Ephemeral root aspect - provides automatic btrfs root subvolume rollover
+# Exports both a base module with options and a factory function for easy configuration
+{ inputs, ... }:
+{
+  # Base module with options (for external flakes or direct use)
+  flake.modules.nixos.ephemeral =
+    { lib, config, ... }:
+    let
+      cfg = config.ephemeral;
+    in
+    {
+      options.ephemeral = {
+        enable = lib.mkEnableOption "ephemeral root with automatic rollback";
+
+        rootDevice = lib.mkOption {
+          type = lib.types.str;
+          example = "/dev/mapper/cryptroot";
+          description = "Device path for the root btrfs filesystem";
+        };
+
+        rootSubvolume = lib.mkOption {
+          type = lib.types.str;
+          default = "@root";
+          description = "Name of the root btrfs subvolume";
+        };
+
+        oldRootRetentionDays = lib.mkOption {
+          type = lib.types.int;
+          default = 30;
+          description = "Number of days to keep old root snapshots before deletion";
+        };
+      };
+
+      config = lib.mkIf cfg.enable {
+        boot.initrd.systemd.services.recreate-root = {
+          description = "Rolling over and creating new filesystem root";
+          requires = [ "initrd-root-device.target" ];
+          after = [
+            "local-fs-pre.target"
+            "initrd-root-device.target"
+          ];
+          requiredBy = [ "initrd-root-fs.target" ];
+          before = [ "sysroot.mount" ];
+          unitConfig = {
+            AssertPathExists = "/etc/initrd-release";
+            DefaultDependencies = false;
+          };
+          serviceConfig = {
+            Type = "oneshot";
+            RemainAfterExit = true;
+          };
+          script = ''
+            set -euo pipefail
+
+            mkdir /btrfs_tmp
+            if ! mount ${cfg.rootDevice} /btrfs_tmp; then
+              echo "ERROR: Failed to mount ${cfg.rootDevice}"
+              exit 1
+            fi
+
+            if [[ -e /btrfs_tmp/${cfg.rootSubvolume} ]]; then
+              mkdir -p /btrfs_tmp/old_roots
+              timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/${cfg.rootSubvolume})" "+%Y-%m-%-d_%H:%M:%S")
+              mv /btrfs_tmp/${cfg.rootSubvolume} "/btrfs_tmp/old_roots/$timestamp"
+            fi
+
+            delete_subvolume_recursively() {
+              IFS=$'\n'
+              for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+                 delete_subvolume_recursively "/btrfs_tmp/$i"
+              done
+              btrfs subvolume delete "$1"
+            }
+
+            for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +${toString cfg.oldRootRetentionDays}); do
+              delete_subvolume_recursively "$i"
+            done
+
+            if ! btrfs subvolume create /btrfs_tmp/${cfg.rootSubvolume}; then
+              echo "ERROR: Failed to create subvolume ${cfg.rootSubvolume}"
+              umount /btrfs_tmp
+              exit 1
+            fi
+
+            umount /btrfs_tmp
+          '';
+        };
+      };
+    };
+
+  # Factory function that generates configured modules
+  flake.factory.ephemeral =
+    {
+      rootDevice,
+      rootSubvolume ? "@root",
+      retentionDays ? 30,
+      persistentStoragePath ? "/persistent",
+      persistentFiles ? [
+        "/etc/machine-id"
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
+        "/etc/ssh/ssh_host_rsa_key"
+        "/etc/ssh/ssh_host_rsa_key.pub"
+      ],
+      persistentDirectories ? [
+        "/etc/NetworkManager/system-connections"
+        "/etc/nixos"
+        "/var/lib/bluetooth"
+        "/var/lib/flatpak"
+        "/var/lib/lxd"
+        "/var/lib/nixos"
+        "/var/lib/systemd/coredump"
+        "/var/lib/systemd/timers"
+        "/var/lib/tailscale"
+        "/var/log"
+      ],
+    }:
+    { ... }:
+    {
+      imports = [
+        inputs.impermanence.nixosModules.impermanence
+        inputs.self.modules.nixos.ephemeral
+      ];
+
+      ephemeral = {
+        enable = true;
+        inherit rootDevice rootSubvolume;
+        oldRootRetentionDays = retentionDays;
+      };
+
+      fileSystems."/persistent".neededForBoot = true;
+
+      environment.persistence.main = {
+        inherit persistentStoragePath;
+        files = persistentFiles;
+        directories = persistentDirectories;
+      };
+    };
+}

aspects/fwupd.nix

@@ -0,0 +1,13 @@
+{ ... }:
+{
+  flake.modules.nixos.fwupd =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      services.fwupd.enable = true;
+    };
+}

aspects/gaming/mangohud.nix

@@ -0,0 +1,47 @@
+{ ... }:
+
+{
+  flake.modules = {
+    nixos.mangohud =
+      { pkgs, ... }:
+      {
+        environment.systemPackages = with pkgs; [
+          mangohud
+        ];
+      };
+
+    homeManager.mangohud =
+      { config, ... }:
+      {
+        programs.mangohud = {
+          enable = true;
+          enableSessionWide = true;
+          settings = {
+            position = "top-left";
+            fps = true;
+            frametime = false;
+            frame_timing = false;
+            gpu_stats = true;
+            gpu_temp = true;
+            gpu_power = true;
+            cpu_stats = true;
+            cpu_temp = true;
+            cpu_power = true;
+            ram = true;
+            vram = true;
+            gamemode = false;
+            vkbasalt = false;
+            version = false;
+            engine_version = false;
+            vulkan_driver = false;
+            wine = false;
+            time = false;
+            fps_sampling_period = 500;
+            toggle_hud = "Shift_L+F12";
+            toggle_logging = "Ctrl_L+F2";
+            output_folder = "${config.home.homeDirectory}/.local/share/mangohud";
+          };
+        };
+      };
+  };
+}

aspects/gaming/steam.nix

@@ -0,0 +1,24 @@
+{ ... }:
+
+{
+  flake.modules.nixos.steam =
+    { pkgs, ... }:
+    {
+      environment.systemPackages = with pkgs; [
+        steam-run
+      ];
+
+      programs = {
+        steam = {
+          enable = true;
+          extraCompatPackages = [ pkgs.proton-ge-bin ];
+        };
+        gamemode.enable = true;
+      };
+
+      services.flatpak.packages = [
+        "com.steamgriddb.SGDBoop"
+        "io.github.Foldex.AdwSteamGtk"
+      ];
+    };
+}

aspects/hosts/_alexandria/jellyfin.nix

@@ -0,0 +1,14 @@
+{ lib, inputs, ... }:
+let
+  mkNginxVHosts = inputs.self.lib.mkNginxVHosts;
+in
+{
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  services.nginx.virtualHosts = mkNginxVHosts {
+    domains."jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/";
+  };
+}

aspects/hosts/_alexandria/nextcloud.nix

@@ -1,23 +1,36 @@
 {
-  lib,
   config,
+  inputs,
   pkgs,
   ...
 }:
 
+let
+  mkNginxVHosts = inputs.self.lib.mkNginxVHosts;
+in
+
 {
   services = {
     nextcloud = {
       enable = true;
-      package = pkgs.nextcloud31;
+      package = pkgs.nextcloud32;
       datadir = "/data/nextcloud";
       hostName = "cloud.baduhai.dev";
       configureRedis = true;
       https = true;
-      autoUpdateApps.enable = true;
       secretFile = config.age.secrets."nextcloud-secrets.json".path;
       database.createLocally = true;
       maxUploadSize = "16G";
+      extraApps = {
+        inherit (config.services.nextcloud.package.packages.apps)
+          calendar
+          contacts
+          notes
+          tasks
+          user_oidc
+          ;
+      };
+      extraAppsEnable = true;
       caching = {
         apcu = true;
         redis = true;
@@ -26,6 +39,7 @@
         trusted_proxies = [ "127.0.0.1" ];
         default_phone_region = "BR";
         maintenance_window_start = "4";
+        allow_local_remote_servers = true;
         enabledPreviewProviders = [
           "OC\\Preview\\BMP"
           "OC\\Preview\\EMF"
@@ -61,43 +75,21 @@
       };
     };
 
-    collabora-online = {
+    nginx.virtualHosts = mkNginxVHosts {
-      enable = true;
+      domains."cloud.baduhai.dev" = { };
-      port = lib.strings.toInt config.ports.collabora;
-      settings.ssl = {
-        enable = false;
-        termination = true;
-      };
-    };
-
-    nginx.virtualHosts = {
-      ${config.services.nextcloud.hostName} = {
-        useACMEHost = "baduhai.dev";
-        forceSSL = true;
-        kTLS = true;
-      };
-      "office.baduhai.dev" = {
-        useACMEHost = "baduhai.dev";
-        forceSSL = true;
-        kTLS = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:${config.ports.collabora}";
-          proxyWebsockets = true;
-        };
-      };
     };
   };
 
   age.secrets = {
     "nextcloud-secrets.json" = {
-      file = ../../../secrets/nextcloud-secrets.json.age;
+      file = "${inputs.self}/secrets/nextcloud-secrets.json.age";
       owner = "nextcloud";
-      group = "hosted";
+      group = "nextcloud";
     };
     nextcloud-adminpass = {
-      file = ../../../secrets/nextcloud-adminpass.age;
+      file = "${inputs.self}/secrets/nextcloud-adminpass.age";
       owner = "nextcloud";
-      group = "hosted";
+      group = "nextcloud";
     };
   };
 }

aspects/hosts/_alexandria/nginx.nix

@@ -0,0 +1,58 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+
+let
+  services = inputs.self.services;
+
+  # Get all unique domains from shared services that have LAN IPs (served by this host)
+  localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "alexandria") services));
+
+  # Generate ACME cert configs for all local domains
+  acmeCerts = lib.genAttrs localDomains (domain: {
+    group = "nginx";
+  });
+in
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "baduhai@proton.me";
+      dnsResolver = "1.1.1.1:53";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets.cloudflare.path;
+    };
+    certs = acmeCerts;
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "_" = {
+        default = true;
+        locations."/".return = "444";
+      };
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  age.secrets.cloudflare = {
+    file = "${inputs.self}/secrets/cloudflare.age";
+    owner = "nginx";
+    group = "nginx";
+  };
+}

aspects/hosts/_alexandria/unbound.nix

@@ -0,0 +1,57 @@
+{ inputs, lib, ... }:
+
+let
+  services = inputs.self.services;
+in
+
+{
+  services.unbound = {
+    enable = true;
+    enableRootTrustAnchor = true;
+    settings = {
+      server = {
+        interface = [
+          "0.0.0.0"
+          "::"
+        ];
+        access-control = [
+          "127.0.0.0/8 allow"
+          "192.168.0.0/16 allow"
+          "::1/128 allow"
+        ];
+
+        num-threads = 2;
+        msg-cache-size = "50m";
+        rrset-cache-size = "100m";
+        cache-min-ttl = 300;
+        cache-max-ttl = 86400;
+        prefetch = true;
+        prefetch-key = true;
+        hide-identity = true;
+        hide-version = true;
+        so-rcvbuf = "1m";
+        so-sndbuf = "1m";
+
+        # LAN-only DNS records
+        local-zone = ''"baduhai.dev." transparent'';
+        local-data = map (e: ''"${e.domain}. IN A ${e.lanIP}"'') (lib.filter (e: e.lanIP != null) services);
+      };
+
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "1.1.1.1@853#cloudflare-dns.com"
+            "1.0.0.1@853#cloudflare-dns.com"
+          ];
+          forward-tls-upstream = true;
+        }
+      ];
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}

aspects/hosts/_alexandria/vaultwarden.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+let
+  mkNginxVHosts = inputs.self.lib.mkNginxVHosts;
+in
+{
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://pass.baduhai.dev";
+      SIGNUPS_ALLOWED = false;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 58222;
+    };
+  };
+
+  services.nginx.virtualHosts = mkNginxVHosts {
+    domains."pass.baduhai.dev".locations."/".proxyPass =
+      "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
+  };
+}

aspects/hosts/_io/boot.nix

@@ -1,5 +1,3 @@
-{ ... }:
-
 {
   boot = {
     # TODO check if future kernel versions fix boot issue with systemd initrd with tpm

aspects/hosts/_io/disko.nix

@@ -0,0 +1,79 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.disko.nixosModules.default ];
+
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/disk/by-id/mmc-hDEaP3_0x1041b689";
+    content = {
+      type = "gpt";
+      partitions = {
+        ESP = {
+          priority = 1;
+          name = "ESP";
+          start = "1MiB";
+          end = "1GiB";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot/efi";
+            mountOptions = [
+              "noatime"
+              "fmask=0077"
+              "dmask=0077"
+            ];
+          };
+        };
+        cryptroot = {
+          priority = 2;
+          name = "root";
+          size = "100%";
+          content = {
+            type = "luks";
+            name = "cryptroot";
+            content = {
+              type = "btrfs";
+              extraArgs = [ "-f" ];
+              subvolumes = {
+                "@root" = {
+                  mountpoint = "/";
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                    "subvol=@root"
+                  ];
+                };
+                "@home" = {
+                  mountpoint = "/home";
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                    "subvol=@home"
+                  ];
+                };
+                "@nix" = {
+                  mountpoint = "/nix";
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                    "subvol=@nix"
+                  ];
+                };
+                "@persistent" = {
+                  mountpoint = "/persistent";
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                    "subvol=@persistent"
+                  ];
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

aspects/hosts/_io/hardware-configuration.nix

@@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  modulesPath,
+  inputs,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "ahci"
+        "usb_storage"
+        "sd_mod"
+        "sdhci_pci"
+      ];
+    };
+    kernelModules = [ "kvm-intel" ];
+  };
+
+  zramSwap = {
+    enable = true;
+    memoryPercent = 100;
+  };
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

aspects/hosts/_io/programs.nix

@@ -19,19 +19,9 @@ in
 {
   environment = {
     systemPackages = with pkgs; [
-      arduino-ide
-      esptool
-      # fritzing
       maliit-keyboard
       sof-firmware
     ];
     sessionVariables.ALSA_CONFIG_UCM2 = "${cml-ucm-conf}/share/alsa/ucm2";
   };
-
-  # TODO: remove once gmodena/nix-flatpak/issues/45 fixed
-  systemd.services."flatpak-managed-install" = {
-    serviceConfig = {
-      ExecStartPre = "${pkgs.coreutils}/bin/sleep 5";
-    };
-  };
 }

aspects/hosts/_io/services.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 
 {
   services = {
@@ -48,5 +48,14 @@
         };
       };
     };
+    upower.enable = true;
+    power-profiles-daemon.enable = true;
+  };
+
+  # TODO: remove once gmodena/nix-flatpak/issues/45 fixed
+  systemd.services."flatpak-managed-install" = {
+    serviceConfig = {
+      ExecStartPre = "${pkgs.coreutils}/bin/sleep 5";
+    };
   };
 }

aspects/hosts/_rotterdam/boot.nix

@@ -12,11 +12,7 @@ in
     kernelParams = [
       "processor.max_cstate=1" # Fixes bug where ryzen cpus freeze when in highest C state
       "clearcpuid=514"
-      # Fixes amdgpu freezing
+      "amdgpu.ppfeaturemask=0xfffd3fff" # Fixes amdgpu freezing
-      "amdgpu.noretry=0"
-      "amdgpu.ppfeaturemask=0xfffd3fff"
-      "amdgpu.gpu_recovery=1"
-      "amdgpu.lockup_timeout=1000"
     ];
     # QubesOS boot entry
     loader.systemd-boot = {

aspects/hosts/_rotterdam/hardware.nix

@@ -2,10 +2,7 @@
 
 {
   hardware = {
-    amdgpu = {
+    amdgpu.opencl.enable = true;
-      opencl.enable = true;
-      amdvlk.enable = true;
-    };
     graphics.extraPackages = with pkgs; [ rocmPackages.clr.icd ];
   };
 }

aspects/hosts/_rotterdam/programs.nix

@@ -27,7 +27,5 @@ in
 {
   environment.systemPackages = [ reboot-into-qubes ];
 
-  services.flatpak.packages = [ "net.retrodeck.retrodeck" ];
-
   programs.steam.dedicatedServer.openFirewall = true;
 }

aspects/hosts/_rotterdam/services.nix

@@ -1,5 +1,3 @@
-{ ... }:
-
 {
   services.keyd = {
     enable = true;

aspects/hosts/_trantor/boot.nix

@@ -0,0 +1,6 @@
+{
+  boot = {
+    initrd.systemd.enable = true;
+    loader.efi.efiSysMountPoint = "/boot/efi";
+  };
+}

aspects/hosts/_trantor/disko.nix

@@ -0,0 +1,64 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.disko.nixosModules.default ];
+
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20";
+    content = {
+      type = "gpt";
+      partitions = {
+        ESP = {
+          priority = 1;
+          name = "ESP";
+          start = "1MiB";
+          end = "512MiB";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot/efi";
+            mountOptions = [
+              "noatime"
+              "fmask=0077"
+              "dmask=0077"
+            ];
+          };
+        };
+        root = {
+          priority = 2;
+          name = "root";
+          size = "100%";
+          content = {
+            type = "btrfs";
+            extraArgs = [ "-f" ];
+            subvolumes = {
+              "@root" = {
+                mountpoint = "/";
+                mountOptions = [
+                  "noatime"
+                  "compress=zstd"
+                ];
+              };
+              "@nix" = {
+                mountpoint = "/nix";
+                mountOptions = [
+                  "noatime"
+                  "compress=zstd"
+                ];
+              };
+              "@persistent" = {
+                mountpoint = "/persistent";
+                mountOptions = [
+                  "noatime"
+                  "compress=zstd"
+                ];
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

aspects/hosts/_trantor/fail2ban.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+
+{
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    ignoreIP = [
+      "127.0.0.0/8"
+      "::1"
+      "10.0.0.0/8"
+      "172.16.0.0/12"
+      "192.168.0.0/16"
+      "100.64.0.0/10"
+    ];
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "10000h";
+      overalljails = true;
+    };
+  };
+}

aspects/hosts/_trantor/forgejo.nix

@@ -0,0 +1,76 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+
+let
+  mkNginxVHosts = inputs.self.lib.mkNginxVHosts;
+in
+
+{
+  services = {
+    forgejo = {
+      enable = true;
+      settings = {
+        session.COOKIE_SECURE = true;
+        server = {
+          PROTOCOL = "http+unix";
+          DOMAIN = "git.baduhai.dev";
+          ROOT_URL = "https://git.baduhai.dev";
+          OFFLINE_MODE = true; # disable use of CDNs
+          SSH_DOMAIN = "git.baduhai.dev";
+          SSH_USER = "forgejo";
+          SSH_PORT = lib.head config.services.openssh.ports;
+        };
+        log.LEVEL = "Warn";
+        mailer.ENABLED = false;
+        actions.ENABLED = false;
+        service.DISABLE_REGISTRATION = true;
+        oauth2_client = {
+          ENABLE_AUTO_REGISTRATION = true;
+          UPDATE_AVATAR = true;
+          ACCOUNT_LINKING = "login";
+          USERNAME = "preferred_username";
+        };
+      };
+    };
+    nginx.virtualHosts = mkNginxVHosts {
+      domains."git.baduhai.dev".locations."/".proxyPass =
+        "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
+    };
+    fail2ban.jails.forgejo = {
+      settings = {
+        enabled = true;
+        filter = "forgejo";
+        maxretry = 3;
+        findtime = "10m";
+        bantime = "1h";
+      };
+    };
+  };
+
+  environment = {
+    etc."fail2ban/filter.d/forgejo.conf".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+      journalmatch = _SYSTEMD_UNIT=forgejo.service
+    '';
+
+    persistence.main.directories = [
+      {
+        directory = config.services.forgejo.stateDir;
+        inherit (config.services.forgejo) user group;
+        mode = "0700";
+      }
+    ];
+  };
+
+  # Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
+  systemd.services.forgejo.serviceConfig = {
+    PrivateMounts = lib.mkForce false;
+    ProtectSystem = lib.mkForce false;
+  };
+}

aspects/hosts/_trantor/hardware-configuration.nix

@@ -0,0 +1,20 @@
+{
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "usbhid"
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

aspects/hosts/_trantor/networking.nix

@@ -1,5 +1,3 @@
-{ ... }:
-
 {
   networking = {
     firewall = {

aspects/hosts/_trantor/nginx.nix

@@ -0,0 +1,56 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+
+let
+  services = inputs.self.services;
+
+  localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "trantor") services));
+
+  acmeCerts = lib.genAttrs localDomains (domain: {
+    group = "nginx";
+  });
+in
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "baduhai@proton.me";
+      dnsResolver = "1.1.1.1:53";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets.cloudflare.path;
+    };
+    certs = acmeCerts;
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "_" = {
+        default = true;
+        locations."/".return = "444";
+      };
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  age.secrets.cloudflare = {
+    file = "${inputs.self}/secrets/cloudflare.age";
+    owner = "nginx";
+    group = "nginx";
+  };
+}

aspects/hosts/_trantor/openssh.nix

@@ -0,0 +1,23 @@
+{ ... }:
+
+{
+  services = {
+    openssh = {
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+      };
+    };
+    fail2ban.jails.sshd = {
+      settings = {
+        enabled = true;
+        port = "ssh";
+        filter = "sshd";
+        logpath = "/var/log/auth.log";
+        maxretry = 3;
+        findtime = "10m";
+        bantime = "1h";
+      };
+    };
+  };
+}

aspects/hosts/_trantor/unbound.nix

@@ -0,0 +1,58 @@
+{ inputs, lib, ... }:
+
+let
+  services = inputs.self.services;
+in
+
+{
+  services.unbound = {
+    enable = true;
+    enableRootTrustAnchor = true;
+    settings = {
+      server = {
+        interface = [
+          "0.0.0.0"
+          "::"
+        ];
+        access-control = [
+          "127.0.0.0/8 allow"
+          "100.64.0.0/10 allow" # Tailscale CGNAT range
+          "::1/128 allow"
+          "fd7a:115c:a1e0::/48 allow" # Tailscale IPv6
+        ];
+
+        num-threads = 2;
+        msg-cache-size = "50m";
+        rrset-cache-size = "100m";
+        cache-min-ttl = 300;
+        cache-max-ttl = 86400;
+        prefetch = true;
+        prefetch-key = true;
+        hide-identity = true;
+        hide-version = true;
+        so-rcvbuf = "1m";
+        so-sndbuf = "1m";
+
+        # Tailnet DNS records from shared services
+        local-zone = ''"baduhai.dev." transparent'';
+        local-data = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') services;
+      };
+
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "1.1.1.1@853#cloudflare-dns.com"
+            "1.0.0.1@853#cloudflare-dns.com"
+          ];
+          forward-tls-upstream = true;
+        }
+      ];
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}

aspects/hosts/alexandria.nix

@@ -0,0 +1,19 @@
+{ inputs, ... }:
+
+let
+  mkHost = inputs.self.lib.mkHost;
+in
+
+{
+  flake.nixosConfigurations.alexandria = mkHost {
+    hostname = "alexandria";
+    nixpkgs = inputs.nixpkgs-stable;
+    extraModules = with inputs.self.modules.nixos; [
+      # base aspects
+      server
+      # other aspects
+      fwupd
+      libvirtd
+    ];
+  };
+}

aspects/hosts/io.nix

@@ -0,0 +1,24 @@
+{ inputs, ... }:
+
+let
+  mkHost = inputs.self.lib.mkHost;
+in
+
+{
+  flake.nixosConfigurations.io = mkHost {
+    hostname = "io";
+    ephemeralRootDev = "/dev/mapper/cryptroot";
+    extraModules = with inputs.self.modules.nixos; [
+      # base aspects
+      desktop
+      # other aspects
+      ai
+      bluetooth
+      dev
+      libvirtd
+      networkmanager
+      niri
+      podman
+    ];
+  };
+}

aspects/hosts/rotterdam.nix

@@ -0,0 +1,26 @@
+{ inputs, ... }:
+
+let
+  mkHost = inputs.self.lib.mkHost;
+in
+
+{
+  flake.nixosConfigurations.rotterdam = mkHost {
+    hostname = "rotterdam";
+    ephemeralRootDev = "/dev/mapper/cryptroot";
+    extraModules = with inputs.self.modules.nixos; [
+      # base aspects
+      desktop
+      gaming
+      # other aspects
+      ai
+      bluetooth
+      dev
+      fwupd
+      libvirtd
+      networkmanager
+      niri
+      podman
+    ];
+  };
+}

aspects/hosts/trantor.nix

@@ -0,0 +1,18 @@
+{ inputs, ... }:
+
+let
+  mkHost = inputs.self.lib.mkHost;
+in
+
+{
+  flake.nixosConfigurations.trantor = mkHost {
+    hostname = "trantor";
+    system = "aarch64-linux";
+    nixpkgs = inputs.nixpkgs-stable;
+    ephemeralRootDev = "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20-part2";
+    extraModules = with inputs.self.modules.nixos; [
+      # base aspects
+      server
+    ];
+  };
+}

aspects/libvirtd.nix

@@ -0,0 +1,27 @@
+{ ... }:
+{
+  flake.modules.nixos.libvirtd =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      virtualisation = {
+        libvirtd.enable = true;
+        spiceUSBRedirection.enable = true;
+      };
+
+      programs.virt-manager.enable = true;
+
+      environment.systemPackages = with pkgs; [ lima ];
+
+      networking.firewall.trustedInterfaces = [ "virbr0" ];
+
+      users.users.user.extraGroups = [
+        "libvirt"
+        "libvirtd"
+      ];
+    };
+}

aspects/lxc.nix

@@ -0,0 +1,22 @@
+{ ... }:
+
+{
+  flake.modules.nixos.lxc =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      virtualisation = {
+        lxc = {
+          enable = true;
+          unprivilegedContainers = true;
+        };
+        incus.enable = true;
+      };
+
+      users.users.user.extraGroups = [ "incus-admin" ];
+    };
+}

aspects/networkmanager.nix

@@ -0,0 +1,18 @@
+{ ... }:
+{
+  flake.modules.nixos.networkmanager =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      networking.networkmanager = {
+        enable = true;
+        wifi.backend = "iwd";
+      };
+
+      users.users.user.extraGroups = [ "networkmanager" ];
+    };
+}

aspects/podman.nix

@@ -0,0 +1,24 @@
+{ ... }:
+{
+  flake.modules.nixos.podman =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      virtualisation.podman = {
+        enable = true;
+        autoPrune.enable = true;
+        extraPackages = [ pkgs.podman-compose ];
+      };
+
+      security.unprivilegedUsernsClone = true; # Needed for rootless podman
+
+      systemd = {
+        services.podman-auto-update.enable = true;
+        timers.podman-auto-update.enable = true;
+      };
+    };
+}

aspects/stylix.nix

@@ -0,0 +1,69 @@
+{ ... }:
+
+{
+  flake.modules = {
+    nixos.stylix =
+      { inputs, ... }:
+      {
+        imports = [ inputs.stylix.nixosModules.stylix ];
+      };
+
+    homeManager.stylix =
+      {
+        config,
+        inputs,
+        pkgs,
+        ...
+      }:
+      {
+        imports = [ inputs.stylix.homeModules.stylix ];
+
+        stylix = {
+          enable = true;
+          polarity = "dark";
+          base16Scheme = "${pkgs.base16-schemes}/share/themes/tokyodark.yaml";
+          cursor = {
+            package = pkgs.kdePackages.breeze;
+            name = "breeze_cursors";
+            size = 24;
+          };
+          icons = {
+            enable = true;
+            package = pkgs.morewaita-icon-theme;
+            light = "MoreWaita";
+            dark = "MoreWaita";
+          };
+          opacity = {
+            applications = 1.0;
+            desktop = 1.0;
+            popups = config.stylix.opacity.desktop;
+            terminal = 1.0;
+          };
+          fonts = {
+            serif = {
+              package = pkgs.source-serif;
+              name = "Source Serif 4 Display";
+            };
+            sansSerif = {
+              package = pkgs.inter;
+              name = "Inter";
+            };
+            monospace = {
+              package = pkgs.nerd-fonts.fira-code;
+              name = "FiraCode Nerd Font";
+            };
+            emoji = {
+              package = pkgs.noto-fonts-color-emoji;
+              name = "Noto Color Emoji";
+            };
+            sizes = {
+              applications = 10;
+              desktop = config.stylix.fonts.sizes.applications;
+              popups = config.stylix.fonts.sizes.applications;
+              terminal = 12;
+            };
+          };
+        };
+      };
+  };
+}

aspects/systems/base.nix

@@ -0,0 +1,55 @@
+{ inputs, ... }:
+{
+  flake.modules = {
+    nixos.base =
+      { lib, pkgs, ... }:
+      {
+        imports = with inputs.self.modules.nixos; [
+          boot
+          console
+          firewall
+          fish
+          locale
+          nix
+          security
+          ssh
+        ];
+        environment = {
+          systemPackages = with pkgs; [
+            git
+            fastfetch
+            nixos-firewall-tool
+            sysz
+            wget
+            yazi
+          ];
+          shellAliases = {
+            cat = "${lib.getExe pkgs.bat} --paging=never --style=plain";
+            ls = "${lib.getExe pkgs.eza} --git --icons --group-directories-first";
+            tree = "ls --tree";
+          };
+        };
+
+        programs.command-not-found.enable = false;
+
+        services = {
+          dbus.implementation = "broker";
+          irqbalance.enable = true;
+          fstrim.enable = true;
+          tailscale = {
+            enable = true;
+            extraUpFlags = [ "--operator=user" ];
+          };
+        };
+      };
+
+    homeManager.base =
+      { ... }:
+      {
+        imports = with inputs.self.modules.homeManager; [
+          bash
+          fish
+        ];
+      };
+  };
+}

aspects/systems/cli.nix

@@ -0,0 +1,33 @@
+{ inputs, ... }:
+
+{
+  flake.modules = {
+    nixos.cli =
+      { pkgs, ... }:
+      {
+        imports = with inputs.self.modules.nixos; [
+          btop
+          helix
+          tmux
+        ];
+
+        environment.systemPackages = with pkgs; [
+          p7zip
+          rclone
+        ];
+      };
+    homeManager.cli =
+      { ... }:
+      {
+        imports = with inputs.self.modules.homeManager; [
+          btop
+          comma
+          direnv
+          helix
+          hm-cli
+          starship
+          tmux
+        ];
+      };
+  };
+}

aspects/systems/desktop.nix

@@ -0,0 +1,210 @@
+{
+  inputs,
+  ...
+}:
+{
+  flake.modules = {
+    nixos.desktop =
+      {
+        config,
+        lib,
+        pkgs,
+        ...
+      }:
+      {
+        imports = [
+          inputs.nix-flatpak.nixosModules.nix-flatpak
+        ]
+        ++ (with inputs.self.modules.nixos; [
+          graphics
+          media
+          office
+          web
+        ]);
+
+        boot = {
+          plymouth.enable = true;
+          initrd.systemd.enable = true;
+          loader.efi.efiSysMountPoint = "/boot/efi";
+          kernelPackages = pkgs.linuxPackages_xanmod_latest;
+          extraModprobeConfig = ''
+            options bluetooth disable_ertm=1
+          '';
+          kernel.sysctl = {
+            "net.ipv4.tcp_mtu_probing" = 1;
+          };
+          kernelParams = [
+            "quiet"
+            "splash"
+            "i2c-dev"
+            "i2c-piix4"
+            "loglevel=3"
+            "udev.log_priority=3"
+            "rd.udev.log_level=3"
+            "rd.systemd.show_status=false"
+          ];
+        };
+
+        nix = {
+          registry.nixpkgs.flake = inputs.nixpkgs;
+          nixPath = [
+            "nixpkgs=${inputs.nixpkgs}"
+            "/nix/var/nix/profiles/per-user/root/channels"
+          ];
+        };
+
+        environment = {
+          etc."channels/nixpkgs".source = inputs.nixpkgs.outPath;
+          sessionVariables = {
+            KDEHOME = "$XDG_CONFIG_HOME/kde4"; # Stops kde from placing a .kde4 folder in the home dir
+            NIXOS_OZONE_WL = "1"; # Forces chromium and most electron apps to run in wayland
+          };
+          systemPackages = with pkgs; [
+            adwaita-icon-theme
+            ghostty
+            gnome-disk-utility
+            junction
+            libfido2
+            mission-center
+            nautilus
+            toggleaudiosink
+            unrar
+          ];
+        };
+
+        services = {
+          printing.enable = true;
+          udev.packages = with pkgs; [ yubikey-personalization ];
+          keyd = {
+            enable = true;
+            keyboards.all = {
+              ids = [ "*" ];
+              settings.main.capslock = "overload(meta, esc)";
+            };
+          };
+          pipewire = {
+            enable = true;
+            alsa.enable = true;
+            alsa.support32Bit = true;
+            pulse.enable = true;
+            jack.enable = true;
+            wireplumber.enable = true;
+          };
+          greetd = {
+            enable = true;
+            settings.default_session.user = "greeter";
+          };
+          flatpak = {
+            enable = true;
+            packages = [
+              "com.github.tchx84.Flatseal"
+              "com.rustdesk.RustDesk"
+            ];
+            uninstallUnmanaged = true;
+            update.auto.enable = true;
+          };
+          gvfs.enable = true;
+        };
+
+        security.rtkit.enable = true; # Needed for pipewire to acquire realtime priority
+
+        users = {
+          users.greeter = {
+            isSystemUser = true;
+            group = "greeter";
+          };
+          groups.greeter = { };
+        };
+
+        programs = {
+          kdeconnect = {
+            enable = true;
+            package = pkgs.valent;
+          };
+          dconf.enable = true;
+          appimage = {
+            enable = true;
+            binfmt = true;
+          };
+        };
+
+        fonts = {
+          fontDir.enable = true;
+          packages = with pkgs; [
+            corefonts
+            inter
+            nerd-fonts.fira-code
+            noto-fonts-cjk-sans
+            noto-fonts-color-emoji
+            roboto
+          ];
+        };
+
+        xdg.portal = {
+          extraPortals = with pkgs; [
+            xdg-desktop-portal-gnome
+            xdg-desktop-portal-gtk
+          ];
+          config.common.default = "*";
+        };
+      };
+
+    homeManager.desktop =
+      {
+        config,
+        lib,
+        pkgs,
+        inputs,
+        ...
+      }:
+      {
+        imports = [
+          inputs.vicinae.homeManagerModules.default
+        ]
+        ++ (with inputs.self.modules.homeManager; [ media ]);
+
+        fonts.fontconfig.enable = true;
+
+        home = {
+          packages = with pkgs; [ xwayland-satellite ];
+          sessionVariables.TERMINAL = "ghostty";
+        };
+
+        services.vicinae = {
+          enable = true;
+          systemd = {
+            enable = true;
+            autoStart = true;
+          };
+        };
+
+        programs = {
+          ghostty = {
+            enable = true;
+            settings = {
+              cursor-style = "block";
+              shell-integration-features = "no-cursor";
+              cursor-style-blink = false;
+              custom-shader = "${builtins.fetchurl {
+                url = "https://raw.githubusercontent.com/hackr-sh/ghostty-shaders/cb6eb4b0d1a3101c869c62e458b25a826f9dcde3/cursor_blaze.glsl";
+                sha256 = "sha256:0g2lgqjdrn3c51glry7x2z30y7ml0y61arl5ykmf4yj0p85s5f41";
+              }}";
+              bell-features = "";
+              gtk-titlebar-style = "tabs";
+              keybind = [ "shift+enter=text:\\x1b\\r" ];
+            };
+          };
+
+          password-store = {
+            enable = true;
+            package = pkgs.pass-wayland;
+          };
+        };
+
+        xdg = {
+          enable = true;
+          userDirs.enable = true;
+        };
+      };
+  };
+}

aspects/systems/gaming.nix

@@ -0,0 +1,48 @@
+{ inputs, ... }:
+
+{
+  flake.modules = {
+    nixos.gaming =
+      { pkgs, ... }:
+      {
+        imports = with inputs.self.modules.nixos; [
+          mangohud
+          steam
+        ];
+        hardware = {
+          xpadneo.enable = true;
+          steam-hardware.enable = true; # Allow steam client to manage controllers
+          graphics.enable32Bit = true; # For OpenGL games
+        };
+
+        services.flatpak.packages = [
+          "com.github.k4zmu2a.spacecadetpinball"
+          "io.itch.itch"
+          "io.mrarm.mcpelauncher"
+          "net.retrodeck.retrodeck"
+          "org.freedesktop.Platform.VulkanLayer.MangoHud/x86_64/25.08"
+          rec {
+            appId = "com.hypixel.HytaleLauncher";
+            sha256 = "01307s44bklc1ldcigcn9n4lm8hf8q793v9fv7w4w04xd5zyh4rv";
+            bundle = "${pkgs.fetchurl {
+              url = "https://launcher.hytale.com/builds/release/linux/amd64/hytale-launcher-latest.flatpak";
+              inherit sha256;
+            }}";
+          }
+        ];
+
+        environment.systemPackages = with pkgs; [
+          clonehero
+          heroic
+          prismlauncher
+        ];
+      };
+    homeManager.gaming =
+      { ... }:
+      {
+        imports = with inputs.self.modules.homeManager; [
+          mangohud
+        ];
+      };
+  };
+}

aspects/systems/server.nix

@@ -0,0 +1,36 @@
+{ inputs, ... }:
+
+{
+  flake.modules.nixos.server =
+    {
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      boot = {
+        kernelPackages = pkgs.linuxPackages_hardened;
+        kernel.sysctl = {
+          "net.ipv4.ip_forward" = 1;
+          "net.ipv6.conf.all.forwarding" = 1;
+        };
+      };
+
+      environment.etc."channels/nixpkgs".source = inputs.nixpkgs-stable.outPath;
+
+      nix = {
+        registry.nixpkgs.flake = inputs.nixpkgs-stable;
+        nixPath = [
+          "nixpkgs=/etc/channels/nixpkgs"
+          "/nix/var/nix/profiles/per-user/root/channels"
+        ];
+      };
+
+      services.tailscale = {
+        extraSetFlags = [ "--advertise-exit-node" ];
+        useRoutingFeatures = "server";
+      };
+
+    };
+}

aspects/users/_user/git.nix

@@ -0,0 +1,17 @@
+{ ... }:
+
+{
+  programs = {
+    git = {
+      enable = true;
+      settings.user = {
+        name = "William";
+        email = "baduhai@proton.me";
+      };
+    };
+    diff-so-fancy = {
+      enable = true;
+      enableGitIntegration = true;
+    };
+  };
+}

aspects/users/root.nix

@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+  flake.modules.nixos.root =
+    { pkgs, ... }:
+    {
+      users.users.root = {
+        shell = pkgs.fish;
+        hashedPassword = "!";
+      };
+    };
+}

aspects/users/user.nix

@@ -0,0 +1,55 @@
+{ inputs, ... }:
+
+let
+  mkHomeConfiguration = inputs.self.lib.mkHomeConfiguration;
+in
+
+{
+  flake = {
+    modules.nixos.user =
+      { pkgs, ... }:
+      {
+        users.users.user = {
+          isNormalUser = true;
+          shell = pkgs.fish;
+          extraGroups = [
+            "networkmanager"
+            "wheel"
+          ];
+          openssh.authorizedKeys.keys = [
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia"
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
+            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
+          ];
+          hashedPassword = "$6$Pj7v/CpstyuWQQV0$cNujVDhfMBdwlGVEnnd8t71.kZPixbo0u25cd.874iaqLTH4V5fa1f98V5zGapjQCz5JyZmsR94xi00sUrntT0";
+        };
+      };
+    homeConfigurations = {
+      "user@rotterdam" = mkHomeConfiguration {
+        user = "user";
+        hostname = "rotterdam";
+        userModules = with inputs.self.modules.homeManager; [
+          # system aspects
+          desktop
+          gaming
+
+          # other aspects
+          stylix
+          niri
+        ];
+      };
+      "user@io" = mkHomeConfiguration {
+        user = "user";
+        hostname = "io";
+        userModules = with inputs.self.modules.homeManager; [
+          # system aspects
+          desktop
+
+          # other aspects
+          stylix
+          niri
+        ];
+      };
+    };
+  };
+}

data/services.nix

@@ -0,0 +1,42 @@
+# Shared service and host definitions
+# This file can be imported directly (unlike aspects which use flake-parts)
+{
+  hosts = {
+    alexandria = {
+      lanIP = "192.168.15.142";
+      tailscaleIP = "100.76.19.50";
+    };
+    trantor = {
+      tailscaleIP = "100.108.5.90";
+    };
+  };
+
+  services = [
+    {
+      name = "kanidm";
+      domain = "auth.baduhai.dev";
+      host = "alexandria";
+    }
+    {
+      name = "vaultwarden";
+      domain = "pass.baduhai.dev";
+      host = "alexandria";
+    }
+    {
+      name = "forgejo";
+      domain = "git.baduhai.dev";
+      host = "trantor";
+      public = true;
+    }
+    {
+      name = "nextcloud";
+      domain = "cloud.baduhai.dev";
+      host = "alexandria";
+    }
+    {
+      name = "jellyfin";
+      domain = "jellyfin.baduhai.dev";
+      host = "alexandria";
+    }
+  ];
+}

flake.nix

@@ -2,193 +2,70 @@
   description = "My nix hosts";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    # nix tools
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05";
+    flake-parts.url = "github:hercules-ci/flake-parts";
+    import-tree.url = "github:vic/import-tree";
 
+    # nixos/hm
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11";
     home-manager = {
       url = "github:nix-community/home-manager/master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    home-manager-stable = {
-      url = "github:nix-community/home-manager/release-25.05";
-      inputs.nixpkgs.follows = "nixpkgs-stable";
-    };
-
-    disko = {
-      url = "github:nix-community/disko?ref=v1.11.0";
-      inputs.nixpkgs.follows = "nixpkgs-stable";
-    };
 
+    # nixos/hm functionality modules
     agenix = {
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs-stable";
     };
-
+    disko.url = "github:nix-community/disko";
-    deploy-rs = {
-      url = "github:serokell/deploy-rs";
-      inputs.nixpkgs.follows = "nixpkgs-stable";
-    };
-
-    nix-flatpak.url = "github:gmodena/nix-flatpak/latest";
-
     impermanence.url = "github:nix-community/impermanence";
+    nixos-cli.url = "github:nix-community/nixos-cli";
+    nix-flatpak.url = "github:gmodena/nix-flatpak/main";
+    stylix.url = "github:danth/stylix";
+
+    # nixos/hm program modules
+    nix-ai-tools.url = "github:numtide/llm-agents.nix";
+    nix-index-database = {
+      url = "github:nix-community/nix-index-database";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    noctalia = {
+      url = "github:noctalia-dev/noctalia-shell";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    vicinae.url = "github:vicinaehq/vicinae";
+    zen-browser.url = "github:0xc000022070/zen-browser-flake";
+
+    # stand-alone tools
+    terranix = {
+      url = "github:terranix/terranix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
 
   outputs =
-    inputs@{
+    inputs@{ flake-parts, import-tree, ... }:
-      self,
-      nixpkgs,
-      nixpkgs-stable,
-      home-manager,
-      home-manager-stable,
-      disko,
-      agenix,
-      deploy-rs,
-      nix-flatpak,
-      impermanence,
-      ...
-    }:
-    {
-      nixosConfigurations =
     let
-          mkHost =
+      aspectsModules = import-tree ./aspects;
-            {
+      packagesModules = import-tree ./packages;
-              hostname,
+      shellsModules = import-tree ./shells;
-              type, # workstation|server
+      terranixModules = import-tree ./terranix;
-              system ? "x86_64-linux",
-              extraModules ? [ ],
-            }:
-            let
-              pkgs = if type == "server" then nixpkgs-stable else nixpkgs;
-              hm = if type == "server" then home-manager-stable else home-manager;
-              hostTypeFlags = {
-                isServer = type == "server";
-                isWorkstation = type == "workstation";
-              };
-              defaultModules = [
-                ./hosts/${hostname}.nix
-                agenix.nixosModules.default
-                disko.nixosModules.default
-                hm.nixosModules.default
-                impermanence.nixosModules.impermanence
-                nix-flatpak.nixosModules.nix-flatpak
-                {
-                  nixpkgs.overlays = [
-                    agenix.overlays.default
-                  ];
-                }
-              ];
-              workstationModules = [
-                {
-                  nixpkgs.overlays = [
-                    self.overlays.workstationOverlay
-                  ];
-                }
-              ];
-              serverModules = [
-                {
-                  nixpkgs.overlays = [
-                    self.overlays.serverOverlay
-                  ];
-                }
-              ];
-              typeModules = if type == "server" then serverModules else workstationModules;
-              allModules = defaultModules ++ typeModules ++ extraModules;
     in
-            pkgs.lib.nixosSystem {
+    flake-parts.lib.mkFlake { inherit inputs; } {
-              inherit system;
+      systems = [
-              specialArgs = {
+        "x86_64-linux"
-                inherit inputs;
+        "aarch64-linux"
-                hostType = hostTypeFlags;
-              };
-              modules = allModules;
-            };
-        in
-        {
-          rotterdam = mkHost {
-            hostname = "rotterdam";
-            type = "workstation";
-          };
-          io = mkHost {
-            hostname = "io";
-            type = "workstation";
-          };
-          alexandria = mkHost {
-            hostname = "alexandria";
-            type = "server";
-            extraModules = [ self.nixosModules.qbittorrent ];
-          };
-          trantor = mkHost {
-            hostname = "trantor";
-            type = "server";
-            system = "aarch64-linux";
-          };
-        };
-
-      overlays = {
-        overlay = final: prev: {
-        };
-        workstationOverlay = final: prev: {
-          plasticity = nixpkgs.legacyPackages."x86_64-linux".callPackage ./packages/plasticity.nix { };
-          toggleaudiosink =
-            nixpkgs.legacyPackages."x86_64-linux".callPackage ./packages/toggleaudiosink.nix
-              { };
-        };
-        serverOverlay = final: prev: {
-        };
-      };
-
-      deploy = {
-        autoRollback = true;
-        magicRollback = false;
-        nodes = {
-          alexandria = {
-            hostname = "alexandria";
-            profiles = {
-              system = {
-                user = "root";
-                sshUser = "root";
-                remoteBuild = true;
-                path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.alexandria;
-              };
-            };
-          };
-
-          trantor = {
-            hostname = "trantor";
-            profiles = {
-              system = {
-                user = "root";
-                sshUser = "root";
-                remoteBuild = true;
-                path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.alexandria;
-              };
-            };
-          };
-
-          io = {
-            hostname = "io";
-            profiles = {
-              system = {
-                user = "root";
-                sshUser = "root";
-                remoteBuild = false;
-                path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.io;
-              };
-            };
-          };
-        };
-      };
-
-      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
-
-      devShells."x86_64-linux".default = nixpkgs.legacyPackages."x86_64-linux".mkShell {
-        packages = with nixpkgs.legacyPackages."x86_64-linux"; [
-          nil
-          nixfmt-rfc-style
       ];
-      };
 
-      nixosModules.qbittorrent = import ./modules/qbittorrent.nix;
+      imports = [
+        flake-parts.flakeModules.modules
+        inputs.terranix.flakeModule
+      ]
+      ++ aspectsModules.imports
+      ++ packagesModules.imports
+      ++ shellsModules.imports
+      ++ terranixModules.imports;
     };
 }

hosts/alexandria.nix

@@ -1,12 +0,0 @@
-{ ... }:
-
-{
-  networking.hostName = "alexandria";
-
-  imports = [
-    ./modules/alexandria
-    ./modules
-  ];
-
-  nix.nixPath = [ "nixos-config=${./alexandria.nix}" ];
-}

hosts/io.nix

@@ -1,12 +0,0 @@
-{ ... }:
-
-{
-  networking.hostName = "io";
-
-  imports = [
-    ./modules/io
-    ./modules
-  ];
-
-  nix.nixPath = [ "nixos-config=${./io.nix}" ];
-}

hosts/modules/alexandria/changedetection.nix

@@ -1,20 +0,0 @@
-{ config, lib, ... }:
-
-{
-  services = {
-    changedetection-io = {
-      enable = true;
-      behindProxy = true;
-      datastorePath = "/data/changedetection";
-      port = lib.toInt "${config.ports.changedetection-io}";
-      baseURL = "https://detect.baduhai.dev";
-    };
-
-    nginx.virtualHosts."detect.baduhai.dev" = {
-      useACMEHost = "baduhai.dev";
-      forceSSL = true;
-      kTLS = true;
-      locations."/".proxyPass = "http://127.0.0.1:${config.ports.changedetection-io}";
-    };
-  };
-}

hosts/modules/alexandria/cinny.nix

@@ -1,23 +0,0 @@
-{ config, ... }:
-
-{
-  virtualisation.oci-containers.containers."cinny" = {
-    image = "ghcr.io/cinnyapp/cinny:latest";
-    ports = [ "${config.ports.cinny}:80" ];
-    environment = {
-      TZ = "America/Bahia";
-    };
-    volumes = [ "/data/matrix/cinny-config.json:/app/config.json" ];
-    extraOptions = [
-      "--pull=newer"
-      "--label=io.containers.autoupdate=registry"
-    ];
-  };
-
-  services.nginx.virtualHosts."matrix.baduhai.dev" = {
-    useACMEHost = "baduhai.dev";
-    forceSSL = true;
-    kTLS = true;
-    locations."/".proxyPass = "http://127.0.0.1:${config.ports.cinny}";
-  };
-}

hosts/modules/alexandria/default.nix

@@ -1,49 +0,0 @@
-{ lib, ... }:
-
-let
-  mkStringOption =
-    default:
-    lib.mkOption {
-      inherit default;
-      type = lib.types.str;
-    };
-
-in
-
-{
-  imports = [
-    ./changedetection.nix
-    ./cinny.nix
-    ./forgejo.nix
-    ./hardware-configuration.nix
-    ./jellyfin.nix
-    ./librespeed.nix
-    ./memos.nix
-    # ./nextcloud.nix
-    ./nginx.nix
-    ./searx.nix
-    ./services.nix
-    ./users.nix
-    ./vaultwarden.nix
-  ];
-
-  options.ports = {
-    bazaar = mkStringOption "6767";
-    radarr = mkStringOption "7878";
-    vaultwarden = mkStringOption "8000";
-    changedetection-io = mkStringOption "8001";
-    cinny = mkStringOption "8002";
-    librespeed = mkStringOption "8003";
-    paperless = mkStringOption "8004";
-    yousable = mkStringOption "8005";
-    cinny2 = mkStringOption "8006";
-    searx = mkStringOption "8007";
-    qbittorrent = mkStringOption "8008";
-    actual = mkStringOption "8009";
-    memos = mkStringOption "8010";
-    collabora = mkStringOption "8011";
-    jellyfin = mkStringOption "8096";
-    sonarr = mkStringOption "8989";
-    jackett = mkStringOption "9117";
-  };
-}

hosts/modules/alexandria/forgejo.nix

@@ -1,33 +0,0 @@
-{ config, ... }:
-
-let
-  domain = "git.baduhai.dev";
-in
-
-{
-  services = {
-    forgejo = {
-      enable = true;
-      repositoryRoot = "/data/forgejo";
-      settings = {
-        session.COOKIE_SECURE = true;
-        server = {
-          PROTOCOL = "http+unix";
-          DOMAIN = domain;
-          ROOT_URL = "https://${domain}";
-          OFFLINE_MODE = true; # disable use of CDNs
-          SSH_DOMAIN = "baduhai.dev";
-        };
-        log.LEVEL = "Warn";
-        mailer.ENABLED = false;
-        actions.ENABLED = false;
-      };
-    };
-    nginx.virtualHosts.${domain} = {
-      useACMEHost = "baduhai.dev";
-      forceSSL = true;
-      kTLS = true;
-      locations."/".proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
-    };
-  };
-}

hosts/modules/alexandria/jellyfin.nix

@@ -1,19 +0,0 @@
-{ config, ... }:
-
-{
-  services = {
-    jellyfin = {
-      enable = true;
-      user = "user";
-      group = "hosted";
-      openFirewall = true;
-    };
-
-    nginx.virtualHosts."jellyfin.baduhai.dev" = {
-      useACMEHost = "baduhai.dev";
-      forceSSL = true;
-      kTLS = true;
-      locations."/".proxyPass = "http://127.0.0.1:${config.ports.jellyfin}";
-    };
-  };
-}

hosts/modules/alexandria/librespeed.nix

@@ -1,22 +0,0 @@
-{ config, ... }:
-
-{
-  virtualisation.oci-containers.containers."librespeed" = {
-    image = "lscr.io/linuxserver/librespeed:latest";
-    environment = {
-      TZ = "America/Bahia";
-    };
-    ports = [ "${config.ports.librespeed}:80" ];
-    extraOptions = [
-      "--pull=newer"
-      "--label=io.containers.autoupdate=registry"
-    ];
-  };
-
-  services.nginx.virtualHosts."speed.baduhai.dev" = {
-    useACMEHost = "baduhai.dev";
-    forceSSL = true;
-    kTLS = true;
-    locations."/".proxyPass = "http://127.0.0.1:${config.ports.librespeed}";
-  };
-}

hosts/modules/alexandria/memos.nix

@@ -1,23 +0,0 @@
-{ config, ... }:
-
-{
-  virtualisation.oci-containers.containers."memos" = {
-    image = "docker.io/neosmemo/memos:stable";
-    ports = [ "${config.ports.memos}:5230" ];
-    environment = {
-      TZ = "America/Bahia";
-    };
-    volumes = [ "/data/memos/:/var/opt/memos" ];
-    extraOptions = [
-      "--pull=newer"
-      "--label=io.containers.autoupdate=registry"
-    ];
-  };
-
-  services.nginx.virtualHosts."notes.baduhai.dev" = {
-    useACMEHost = "baduhai.dev";
-    forceSSL = true;
-    kTLS = true;
-    locations."/".proxyPass = "http://127.0.0.1:${config.ports.memos}";
-  };
-}

hosts/modules/alexandria/networking.nix

@@ -1,17 +0,0 @@
-{ ... }:
-
-{
-  networking = {
-    firewall = {
-      allowedTCPPorts = [
-        80 # HTTP
-        443 # HTTPS
-        25565 # Minecraft
-      ];
-      allowedUDPPorts = [
-        19132 # Minecraft Bedrock
-        25565 # Minecraft
-      ];
-    };
-  };
-}

hosts/modules/alexandria/nginx.nix

@@ -1,37 +0,0 @@
-{ config, ... }:
-
-{
-  services.nginx = {
-    enable = true;
-    group = "hosted";
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      email = "baduhai@proton.me";
-      dnsResolver = "1.1.1.1:53";
-      dnsProvider = "cloudflare";
-      credentialsFile = config.age.secrets.cloudflare.path;
-    };
-    certs."baduhai.dev" = {
-      extraDomainNames = [ "*.baduhai.dev" ];
-    };
-  };
-
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1;
-    "net.ipv6.conf.all.forwarding" = 1;
-  };
-
-  age.secrets.cloudflare = {
-    file = ../../../secrets/cloudflare.age;
-    owner = "nginx";
-    group = "hosted";
-  };
-
-}

hosts/modules/alexandria/searx.nix

@@ -1,28 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-
-{
-  services = {
-    searx = {
-      enable = true;
-      package = pkgs.searxng;
-      settings.server = {
-        port = lib.toInt "${config.ports.searx}";
-        bind_address = "0.0.0.0";
-        secret_key = "&yEf!xLA@y3FdJ5BjKnUnNAkqer$iW!9";
-        method = "GET";
-      };
-    };
-
-    nginx.virtualHosts."search.baduhai.dev" = {
-      useACMEHost = "baduhai.dev";
-      forceSSL = true;
-      kTLS = true;
-      locations."/".proxyPass = "http://127.0.0.1:${config.ports.searx}";
-    };
-  };
-}

hosts/modules/alexandria/services.nix

@@ -1,11 +0,0 @@
-{ ... }:
-
-{
-  services.postgresql.enable = true;
-
-  # TODO: remove when bug fix
-  # serokell/deploy-rs/issues/57
-  # NixOS/nixpkgs/issues/180175
-  # Workaround for upstream bug in NetworkManager-wait-online.service
-  systemd.services.NetworkManager-wait-online.enable = false;
-}

hosts/modules/alexandria/users.nix

@@ -1,19 +0,0 @@
-{ ... }:
-
-{
-  users = {
-    users = {
-      nginx.extraGroups = [ "acme" ];
-    };
-    groups = {
-      hosted = {
-        gid = 1005;
-        members = [
-          "user"
-          "paperless"
-          "vaultwarden"
-        ];
-      };
-    };
-  };
-}

hosts/modules/alexandria/vaultwarden.nix

@@ -1,22 +0,0 @@
-{ config, ... }:
-
-{
-  services = {
-    vaultwarden = {
-      enable = true;
-      config = {
-        DOMAIN = "https://pass.baduhai.dev";
-        SIGNUPS_ALLOWED = true;
-        ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = "${config.ports.vaultwarden}";
-      };
-    };
-
-    nginx.virtualHosts."pass.baduhai.dev" = {
-      useACMEHost = "baduhai.dev";
-      forceSSL = true;
-      kTLS = true;
-      locations."/".proxyPass = "http://127.0.0.1:${config.ports.vaultwarden}";
-    };
-  };
-}

hosts/modules/boot.nix

@@ -1,61 +0,0 @@
-{
-  hostType,
-  lib,
-  pkgs,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-      boot = {
-        loader = {
-          timeout = 1;
-          efi.canTouchEfiVariables = true;
-          systemd-boot = {
-            enable = true;
-            editor = false;
-            consoleMode = "max";
-            sortKey = "aa";
-            netbootxyz = {
-              enable = true;
-              sortKey = "zz";
-            };
-          };
-        };
-      };
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-      boot.kernelPackages = pkgs.linuxPackages_hardened;
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-      boot = {
-        plymouth.enable = true;
-        initrd.systemd.enable = true;
-        loader.efi.efiSysMountPoint = "/boot/efi";
-        kernelPackages = pkgs.linuxPackages_xanmod_latest;
-        extraModprobeConfig = ''
-          options bluetooth disable_ertm=1
-        '';
-        kernel.sysctl = {
-          "net.ipv4.tcp_mtu_probing" = 1;
-        };
-        kernelParams = [
-          "quiet"
-          "splash"
-          "i2c-dev"
-          "i2c-piix4"
-          "loglevel=3"
-          "udev.log_priority=3"
-          "rd.udev.log_level=3"
-          "rd.systemd.show_status=false"
-        ];
-      };
-    })
-  ];
-}

hosts/modules/console.nix

@@ -1,21 +0,0 @@
-{ hostType, lib, ... }:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-      console = {
-        useXkbConfig = true;
-        earlySetup = true;
-      };
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-    })
-  ];
-}

hosts/modules/default.nix

@@ -1,18 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./boot.nix
-    ./console.nix
-    ./desktop.nix
-    ./impermanence.nix
-    ./locale.nix
-    ./networking.nix
-    ./nix.nix
-    ./programs.nix
-    ./security.nix
-    ./services.nix
-    ./users.nix
-    ./virtualisation.nix
-  ];
-}

hosts/modules/desktop.nix

@@ -1,64 +0,0 @@
-{
-  hostType,
-  lib,
-  pkgs,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-      services = {
-        pipewire = {
-          enable = true;
-          alsa.enable = true;
-          alsa.support32Bit = true;
-          pulse.enable = true;
-          jack.enable = true;
-          wireplumber.enable = true;
-        };
-        greetd = {
-          enable = true;
-          settings.default_session.command = "${pkgs.greetd.tuigreet}/bin/tuigreet --remember --asterisks --time";
-        };
-      };
-      programs.niri.enable = true;
-      environment.systemPackages = with pkgs; [
-        anyrun
-        foot
-        gsettings-desktop-schemas
-        swaybg
-        swww
-        xwayland-satellite
-      ];
-
-      hardware = {
-        xpadneo.enable = true;
-        bluetooth.enable = true;
-        steam-hardware.enable = true; # Allow steam client to manage controllers
-        graphics.enable32Bit = true; # For OpenGL games
-        i2c.enable = true;
-      };
-
-      security.rtkit.enable = true; # Needed for pipewire to acquire realtime priority
-
-      xdg.portal = {
-        enable = true;
-        xdgOpenUsePortal = true;
-        extraPortals = with pkgs; [
-          xdg-desktop-portal-gtk
-          xdg-desktop-portal-gnome
-        ];
-      };
-    })
-  ];
-}

hosts/modules/environment.nix

@@ -1,4 +0,0 @@
-{ pkgs, ... }:
-
-{
-}

hosts/modules/impermanence.nix

@@ -1,41 +0,0 @@
-{
-  hostType,
-  lib,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-      environment.persistence.main = {
-        persistentStoragePath = "/persistent";
-        files = [
-          "/etc/machine-id"
-          "/etc/ssh/ssh_host_ed25519_key"
-          "/etc/ssh/ssh_host_ed25519_key.pub"
-          "/etc/ssh/ssh_host_rsa_key"
-          "/etc/ssh/ssh_host_rsa_key.pub"
-        ];
-        directories = [
-          "/etc/NetworkManager/system-connections"
-          "/var/lib/bluetooth"
-          "/var/lib/flatpak"
-          "/var/lib/nixos"
-          "/var/lib/systemd/coredump"
-          "/var/lib/systemd/timers"
-          "/var/lib/tailscale"
-          "/var/log"
-        ];
-      };
-    })
-  ];
-}

hosts/modules/io/default.nix

@@ -1,11 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./boot.nix
-    ./ephermal.nix
-    ./hardware-configuration.nix
-    ./programs.nix
-    ./services.nix
-  ];
-}

hosts/modules/io/ephermal.nix

@@ -1,46 +0,0 @@
-{ ... }:
-
-{
-  boot.initrd.systemd.services.recreate-root = {
-    description = "Rolling over and creating new filesystem root";
-    requires = [ "initrd-root-device.target" ];
-    after = [
-      "local-fs-pre.target"
-      "initrd-root-device.target"
-    ];
-    requiredBy = [ "initrd-root-fs.target" ];
-    before = [ "sysroot.mount" ];
-    unitConfig = {
-      AssertPathExists = "/etc/initrd-release";
-      DefaultDependencies = false;
-    };
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      mkdir /btrfs_tmp
-      mount /dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f /btrfs_tmp
-      if [[ -e /btrfs_tmp/@root ]]; then
-        mkdir -p /btrfs_tmp/old_roots
-        timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/@root)" "+%Y-%m-%-d_%H:%M:%S")
-        mv /btrfs_tmp/@root "/btrfs_tmp/old_roots/$timestamp"
-      fi
-
-      delete_subvolume_recursively() {
-        IFS=$'\n'
-        for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
-          delete_subvolume_recursively "/btrfs_tmp/$i"
-        done
-        btrfs subvolume delete "$1"
-      }
-
-      for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
-        delete_subvolume_recursively "$i"
-      done
-
-      btrfs subvolume create /btrfs_tmp/@root
-      umount /btrfs_tmp
-    '';
-  };
-}

hosts/modules/io/hardware-configuration.nix

@@ -1,88 +0,0 @@
-{
-  config,
-  lib,
-  modulesPath,
-  ...
-}:
-
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-
-  boot = {
-    initrd = {
-      availableKernelModules = [
-        "xhci_pci"
-        "ahci"
-        "usb_storage"
-        "sd_mod"
-        "sdhci_pci"
-      ];
-      luks.devices."enc" = {
-        device = "/dev/disk/by-uuid/8018720e-42dd-453c-b374-adaa02eb48c9";
-        keyFile = "/dev/disk/by-partuuid/cbc7e305-d32d-4250-b6ae-6a8264ea096e";
-      };
-    };
-    kernelModules = [ "kvm-intel" ];
-  };
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f";
-      fsType = "btrfs";
-      options = [
-        "subvol=@root"
-        "noatime"
-        "compress=zstd"
-      ];
-    };
-    "/home" = {
-      device = "/dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f";
-      fsType = "btrfs";
-      options = [
-        "subvol=@home"
-        "noatime"
-        "compress=zstd"
-      ];
-    };
-    "/nix" = {
-      device = "/dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f";
-      fsType = "btrfs";
-      options = [
-        "subvol=@nix"
-        "noatime"
-        "compress=zstd"
-      ];
-    };
-    "/persistent" = {
-      device = "/dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f";
-      fsType = "btrfs";
-      options = [
-        "subvol=@persistent"
-        "noatime"
-        "compress=zstd"
-      ];
-    };
-    "/boot/efi" = {
-      device = "/dev/disk/by-uuid/31C9-08FF";
-      fsType = "vfat";
-      options = [
-        "noatime"
-        "fmask=0077"
-        "dmask=0077"
-      ];
-    };
-  };
-
-  zramSwap = {
-    enable = true;
-    memoryPercent = 100;
-  };
-
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
-
-  networking.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/modules/networking.nix

@@ -1,40 +0,0 @@
-{
-  hostType,
-  lib,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-      networking = {
-        networkmanager.enable = true;
-        firewall.enable = true;
-      };
-
-      services = {
-        tailscale = {
-          enable = true;
-          extraUpFlags = [ "--operator=user" ];
-        };
-        openssh = {
-          enable = true;
-          settings.PermitRootLogin = "no";
-        };
-      };
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-      services.tailscale = {
-        extraSetFlags = [ "--advertise-exit-node" ];
-        useRoutingFeatures = "server";
-      };
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-    })
-  ];
-}