flake.lock: Update

Flake lock file updates:

• Updated input 'nix-ai-tools':
    'github:numtide/nix-ai-tools/58d5d222d6802a75c1ed637d049ea438d199051a?narHash=sha256-pQ2XzsB/n8E5FWYnICZu/BzkKy8a50EzmUGTCo5SeHg%3D' (2025-11-13)
  → 'github:numtide/nix-ai-tools/a2dfa932ed37e5b6224b39b4982c85cd8ebcca14?narHash=sha256-n6bChFrCf2/uHzTsZdABUt1%2BUa3n0jinNfamHd5DmBA%3D' (2025-11-17)
• Updated input 'nix-ai-tools/blueprint':
    'github:numtide/blueprint/633af1961cae8e02bc6195e6e599a6b09bf75217?narHash=sha256-wTQzbbQ6XHtvNJVuhJj%2BytZDRyNtwUKbrIfIvMvKNfQ%3D' (2025-10-28)
  → 'github:numtide/blueprint/5a9bba070f801d63e2af3c9ef00b86b212429f4f?narHash=sha256-O9Y%2BWer8wOh%2BN%2B4kcCK5p/VLrXyX%2Bktk0/s3HdZvJzk%3D' (2025-11-16)
• Updated input 'nix-ai-tools/nixpkgs':
    'github:NixOS/nixpkgs/9da7f1cf7f8a6e2a7cb3001b048546c92a8258b4?narHash=sha256-SlybxLZ1/e4T2lb1czEtWVzDCVSTvk9WLwGhmxFmBxI%3D' (2025-11-11)
  → 'github:NixOS/nixpkgs/85a6c4a07faa12aaccd81b36ba9bfc2bec974fa1?narHash=sha256-3YJkOBrFpmcusnh7i8GXXEyh7qZG/8F5z5%2B717550Hk%3D' (2025-11-16)

.gitignore

@@ -1,3 +1,13 @@
-result/
+# Nix build outputs
+result
+result-*
 .direnv/
-.pre-commit-config.yaml
+oci-trantor/
+tailscale-tailnet/
+cloudflare-baduhaidev
+
+# Personal notes and temporary files
+todo.md
+notes.md
+scratch/
+tmp/

deploy.nix

@@ -0,0 +1,48 @@
+{ inputs, self, ... }:
+{
+  flake.deploy = {
+    remoteBuild = true;
+    nodes = {
+      alexandria = {
+        hostname = "alexandria";
+        profiles.system = {
+          sshUser = "user";
+          path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.alexandria;
+          user = "root";
+        };
+      };
+
+      trantor = {
+        hostname = "trantor";
+        profiles.system = {
+          sshUser = "user";
+          path = inputs.deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.trantor;
+          user = "root";
+        };
+      };
+
+      io = {
+        hostname = "io";
+        profiles = {
+          system = {
+            sshUser = "user";
+            path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.io;
+            user = "root";
+            remoteBuild = false;
+          };
+          user = {
+            sshUser = "user";
+            path = inputs.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurations."user@io";
+            user = "user";
+            remoteBuild = false;
+          };
+        };
+      };
+    };
+  };
+  perSystem =
+    { system, ... }:
+    {
+      checks = inputs.deploy-rs.lib.${system}.deployChecks self.deploy;
+    };
+}

devShells.nix

@@ -0,0 +1,16 @@
+{ inputs, ... }:
+
+{
+  perSystem =
+    { pkgs, system, ... }:
+    {
+      devShells.default = pkgs.mkShell {
+        packages = with pkgs; [
+          inputs.agenix.packages.${system}.default
+          deploy-rs
+          nil
+          nixfmt-rfc-style
+        ];
+      };
+    };
+}

flake.nix

@@ -2,186 +2,76 @@
   description = "My nix hosts";
 
   inputs = {
+    flake-parts.url = "github:hercules-ci/flake-parts";
+
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
-    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-24.11";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05";
 
     home-manager = {
       url = "github:nix-community/home-manager/master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    home-manager-stable = {
-      url = "github:nix-community/home-manager/release-24.11";
-      inputs.nixpkgs.follows = "nixpkgs-stable";
-    };
 
     agenix = {
       url = "github:ryantm/agenix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    deploy-rs = {
-      url = "github:serokell/deploy-rs";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    homepage = {
-      url = "github:AlexW00/StartTreeV2";
-      flake = false;
-    };
-
-    impermanence.url = "github:nix-community/impermanence";
-
-    nix-flatpak.url = "github:gmodena/nix-flatpak/?ref=v0.4.1";
-
-    nix-index-db = {
-      url = "github:nix-community/nix-index-database";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    nix-minecraft = {
-      url = "github:Infinidoge/nix-minecraft";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-
-    nixos-generators = {
-      url = "github:nix-community/nixos-generators";
       inputs.nixpkgs.follows = "nixpkgs-stable";
     };
 
+    disko.url = "github:nix-community/disko";
+
+    noctalia = {
+      url = "github:noctalia-dev/noctalia-shell";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     stylix.url = "github:danth/stylix";
 
+    nixos-cli.url = "github:nix-community/nixos-cli";
+
+    nix-flatpak.url = "github:gmodena/nix-flatpak/main";
+
+    zen-browser.url = "github:0xc000022070/zen-browser-flake";
+
+    impermanence.url = "github:nix-community/impermanence";
+
+    deploy-rs.url = "github:serokell/deploy-rs";
+
+    niri-flake.url = "github:sodiboo/niri-flake";
+
+    niri.url = "github:baduhai/niri/auto-center-when-space-available";
+
+    nix-index-database = {
+      url = "github:nix-community/nix-index-database";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    terranix = {
+      url = "github:terranix/terranix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nix-ai-tools.url = "github:numtide/nix-ai-tools";
+
+    vicinae.url = "github:vicinaehq/vicinae";
   };
 
   outputs =
-    inputs@{
-      self,
-      nixpkgs,
-      nixpkgs-stable,
-      home-manager,
-      home-manager-stable,
-      agenix,
-      deploy-rs,
-      homepage,
-      impermanence,
-      nix-flatpak,
-      nix-index-db,
-      nix-minecraft,
-      nixos-generators,
-      stylix,
-      ...
-    }:
-    {
-      nixosConfigurations = {
-        rotterdam = nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          specialArgs = {
-            inherit inputs;
-          };
-          modules = [
-            ./hosts/desktops/rotterdam.nix
-            agenix.nixosModules.default
-            home-manager.nixosModules.default
-            impermanence.nixosModules.impermanence
-            nix-index-db.nixosModules.nix-index
-            nix-flatpak.nixosModules.nix-flatpak
-            stylix.nixosModules.stylix
-            {
-              nixpkgs.overlays = [
-                agenix.overlays.default
-                self.overlays.custom
+    inputs@{ flake-parts, ... }:
+    flake-parts.lib.mkFlake { inherit inputs; } {
+      systems = [
+        "x86_64-linux"
+        "aarch64-linux"
       ];
-            }
+
+      imports = [
+        ./deploy.nix
+        ./devShells.nix
+        ./homeConfigurations.nix
+        ./nixosConfigurations.nix
+        ./nixosModules.nix
+        ./overlays.nix
+        ./packages.nix
+        ./terranixConfigurations.nix
       ];
     };
-
-        io = nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          specialArgs = {
-            inherit inputs;
-          };
-          modules = [
-            ./hosts/desktops/io.nix
-            agenix.nixosModules.default
-            home-manager.nixosModules.default
-            impermanence.nixosModules.impermanence
-            nix-index-db.nixosModules.nix-index
-            nix-flatpak.nixosModules.nix-flatpak
-            stylix.nixosModules.stylix
-            {
-              nixpkgs.overlays = [
-                agenix.overlays.default
-                self.overlays.custom
-              ];
-            }
-          ];
-        };
-
-        alexandria = nixpkgs-stable.lib.nixosSystem {
-          system = "x86_64-linux";
-          specialArgs = {
-            inherit inputs;
-          };
-          modules = [
-            ./hosts/servers/alexandria.nix
-            agenix.nixosModules.default
-            home-manager-stable.nixosModules.default
-            self.nixosModules.qbittorrent
-            ({
-              nixpkgs.overlays = [
-                agenix.overlays.default
-                nix-minecraft.overlay
-              ];
-              imports = [ nix-minecraft.nixosModules.minecraft-servers ];
-            })
-          ];
-        };
-      };
-
-      overlays = {
-        custom = final: prev: {
-          plasticity = nixpkgs.legacyPackages."x86_64-linux".callPackage ./packages/plasticity.nix { };
-        };
-      };
-
-      deploy = {
-        autoRollback = true;
-        magicRollback = false;
-        nodes = {
-          alexandria = {
-            hostname = "alexandria";
-            profiles = {
-              system = {
-                user = "root";
-                sshUser = "root";
-                remoteBuild = true;
-                path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.alexandria;
-              };
-            };
-          };
-
-          io = {
-            hostname = "io";
-            profiles = {
-              system = {
-                user = "root";
-                sshUser = "root";
-                remoteBuild = false;
-                path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.io;
-              };
-            };
-          };
-        };
-      };
-
-      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
-
-      devShells."x86_64-linux".default = nixpkgs.legacyPackages."x86_64-linux".mkShell {
-        packages = with nixpkgs.legacyPackages."x86_64-linux"; [
-          nil
-          nixfmt-rfc-style
-        ];
-      };
-
-      nixosModules.qbittorrent = import ./modules/qbittorrent.nix;
-    };
 }

homeConfigurations.nix

@@ -0,0 +1,43 @@
+{ inputs, ... }:
+
+let
+  lib = inputs.nixpkgs.lib;
+  utils = import ./utils.nix { inherit inputs lib; };
+  inherit (utils) mkHome;
+in
+
+{
+  flake.homeConfigurations = {
+    "user@rotterdam" = mkHome {
+      username = "user";
+      hostname = "rotterdam";
+      tags = [
+        "desktop"
+        "btop"
+        "comma"
+        "direnv"
+        "gaming"
+        "helix"
+        "obs-studio"
+        "starship"
+        "stylix"
+        "tmux"
+      ];
+    };
+
+    "user@io" = mkHome {
+      username = "user";
+      hostname = "io";
+      tags = [
+        "desktop"
+        "btop"
+        "comma"
+        "direnv"
+        "helix"
+        "starship"
+        "stylix"
+        "tmux"
+      ];
+    };
+  };
+}

hosts/alexandria/hardware-configuration.nix

@@ -23,17 +23,23 @@
     extraModulePackages = [ ];
   };
 
-  fileSystems."/" = {
+  fileSystems = {
+    "/" = {
       device = "/dev/disk/by-uuid/31289617-1d84-4432-a833-680b52e88525";
       fsType = "ext4";
     };
-
-  fileSystems."/boot" = {
+    "/boot" = {
       device = "/dev/disk/by-uuid/4130-BE54";
       fsType = "vfat";
     };
+  };
 
-  swapDevices = [ ];
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 8192;
+    }
+  ];
 
   networking.useDHCP = lib.mkDefault true;
 

hosts/alexandria/jellyfin.nix

@@ -0,0 +1,15 @@
+{ lib, inputs, ... }:
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts;
+in
+{
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  services.nginx.virtualHosts = mkNginxVHosts {
+    domains."jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/";
+  };
+}

hosts/alexandria/kanidm.nix

@@ -0,0 +1,83 @@
+{
+  config,
+  lib,
+  inputs,
+  pkgs,
+  ...
+}:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts;
+  kanidmCertDir = "/var/lib/kanidm/certs";
+in
+
+{
+  services.kanidm = {
+    enableServer = true;
+    enableClient = true;
+    package = pkgs.kanidm;
+
+    serverSettings = {
+      domain = "auth.baduhai.dev";
+      origin = "https://auth.baduhai.dev";
+      bindaddress = "127.0.0.1:8443";
+      ldapbindaddress = "127.0.0.1:636";
+      trust_x_forward_for = true;
+      # Use self-signed certificates for internal TLS
+      tls_chain = "${kanidmCertDir}/cert.pem";
+      tls_key = "${kanidmCertDir}/key.pem";
+    };
+
+    clientSettings = {
+      uri = "https://auth.baduhai.dev";
+    };
+  };
+
+  services.nginx.virtualHosts = mkNginxVHosts {
+    domains."auth.baduhai.dev" = {
+      locations."/" = {
+        proxyPass = "https://127.0.0.1:8443";
+        extraConfig = ''
+          proxy_ssl_verify off;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 636 ];
+
+  # Generate self-signed certificates for kanidm's internal TLS
+  systemd.services.kanidm-generate-certs = {
+    description = "Generate self-signed TLS certificates for Kanidm";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "kanidm.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      mkdir -p ${kanidmCertDir}
+      if [ ! -f ${kanidmCertDir}/key.pem ]; then
+        ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 \
+          -keyout ${kanidmCertDir}/key.pem \
+          -out ${kanidmCertDir}/cert.pem \
+          -days 3650 -nodes \
+          -subj "/CN=localhost" \
+          -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
+        chown -R kanidm:kanidm ${kanidmCertDir}
+        chmod 600 ${kanidmCertDir}/key.pem
+        chmod 644 ${kanidmCertDir}/cert.pem
+      fi
+    '';
+  };
+
+  # Ensure certificate generation runs before kanidm starts
+  systemd.services.kanidm = {
+    after = [ "kanidm-generate-certs.service" ];
+    wants = [ "kanidm-generate-certs.service" ];
+  };
+}

hosts/alexandria/nextcloud.nix

@@ -2,22 +2,37 @@
   lib,
   config,
   pkgs,
+  inputs,
   ...
 }:
 
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts;
+in
+
 {
   services = {
     nextcloud = {
       enable = true;
-      package = pkgs.nextcloud30;
+      package = pkgs.nextcloud32;
       datadir = "/data/nextcloud";
       hostName = "cloud.baduhai.dev";
       configureRedis = true;
       https = true;
-      autoUpdateApps.enable = true;
       secretFile = config.age.secrets."nextcloud-secrets.json".path;
       database.createLocally = true;
       maxUploadSize = "16G";
+      extraApps = {
+        inherit (config.services.nextcloud.package.packages.apps)
+          calendar
+          contacts
+          notes
+          tasks
+          user_oidc
+          ;
+      };
+      extraAppsEnable = true;
       caching = {
         apcu = true;
         redis = true;
@@ -26,6 +41,7 @@
         trusted_proxies = [ "127.0.0.1" ];
         default_phone_region = "BR";
         maintenance_window_start = "4";
+        allow_local_remote_servers = true;
         enabledPreviewProviders = [
           "OC\\Preview\\BMP"
           "OC\\Preview\\EMF"
@@ -61,43 +77,21 @@
       };
     };
 
-    collabora-online = {
-      enable = true;
-      port = lib.strings.toInt config.ports.collabora;
-      settings.ssl = {
-        enable = false;
-        termination = true;
-      };
-    };
-
-    nginx.virtualHosts = {
-      ${config.services.nextcloud.hostName} = {
-        useACMEHost = "baduhai.dev";
-        forceSSL = true;
-        kTLS = true;
-      };
-      "office.baduhai.dev" = {
-        useACMEHost = "baduhai.dev";
-        forceSSL = true;
-        kTLS = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:${config.ports.collabora}";
-          proxyWebsockets = true;
-        };
-      };
+    nginx.virtualHosts = mkNginxVHosts {
+      domains."cloud.baduhai.dev" = { };
     };
   };
 
   age.secrets = {
     "nextcloud-secrets.json" = {
-      file = ../../../secrets/nextcloud-secrets.json.age;
+      file = ../../secrets/nextcloud-secrets.json.age;
       owner = "nextcloud";
-      group = "hosted";
+      group = "nextcloud";
     };
     nextcloud-adminpass = {
-      file = ../../../secrets/nextcloud-adminpass.age;
+      file = ../../secrets/nextcloud-adminpass.age;
       owner = "nextcloud";
-      group = "hosted";
+      group = "nextcloud";
     };
   };
 }

hosts/alexandria/nginx.nix

@@ -0,0 +1,59 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts services;
+
+  # Get all unique domains from shared services that have LAN IPs (served by this host)
+  localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "alexandria") services));
+
+  # Generate ACME cert configs for all local domains
+  acmeCerts = lib.genAttrs localDomains (domain: {
+    group = "nginx";
+  });
+in
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "baduhai@proton.me";
+      dnsResolver = "1.1.1.1:53";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets.cloudflare.path;
+    };
+    certs = acmeCerts;
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "_" = {
+        default = true;
+        locations."/".return = "444";
+      };
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  age.secrets.cloudflare = {
+    file = ../../secrets/cloudflare.age;
+    owner = "nginx";
+    group = "nginx";
+  };
+}

hosts/alexandria/unbound.nix

@@ -0,0 +1,58 @@
+{ inputs, lib, ... }:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+in
+
+{
+  services.unbound = {
+    enable = true;
+    enableRootTrustAnchor = true;
+    settings = {
+      server = {
+        interface = [
+          "0.0.0.0"
+          "::"
+        ];
+        access-control = [
+          "127.0.0.0/8 allow"
+          "192.168.0.0/16 allow"
+          "::1/128 allow"
+        ];
+
+        num-threads = 2;
+        msg-cache-size = "50m";
+        rrset-cache-size = "100m";
+        cache-min-ttl = 300;
+        cache-max-ttl = 86400;
+        prefetch = true;
+        prefetch-key = true;
+        hide-identity = true;
+        hide-version = true;
+        so-rcvbuf = "1m";
+        so-sndbuf = "1m";
+
+        # LAN-only DNS records
+        local-zone = ''"baduhai.dev." transparent'';
+        local-data = map (e: ''"${e.domain}. IN A ${e.lanIP}"'')
+          (lib.filter (e: e ? lanIP) utils.services);
+      };
+
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "1.1.1.1@853#cloudflare-dns.com"
+            "1.0.0.1@853#cloudflare-dns.com"
+          ];
+          forward-tls-upstream = true;
+        }
+      ];
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}

hosts/alexandria/vaultwarden.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts;
+in
+{
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://pass.baduhai.dev";
+      SIGNUPS_ALLOWED = false;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 58222;
+    };
+  };
+
+  services.nginx.virtualHosts = mkNginxVHosts {
+    domains."pass.baduhai.dev".locations."/".proxyPass =
+      "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
+  };
+}

hosts/common/default.nix

@@ -1,17 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./boot.nix
-    ./console.nix
-    ./locale.nix
-    ./networking.nix
-    ./nix.nix
-    ./packages.nix
-    ./security.nix
-    ./services.nix
-    ./users.nix
-    ./virtualisation.nix
-    ./environment.nix
-  ];
-}

hosts/common/environment.nix

@@ -1,10 +0,0 @@
-{ pkgs, ... }:
-
-{
-  environment.shellAliases = {
-    ls = "${pkgs.eza}/bin/eza --icons --group-directories-first";
-    neofetch = "fastfetch";
-    tree = "ls --tree";
-    syscleanup = "sudo nix-collect-garbage -d; sudo /run/current-system/bin/switch-to-configuration boot";
-  };
-}

hosts/common/packages.nix

@@ -1,21 +0,0 @@
-{ pkgs, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    agenix
-    bind
-    btop
-    fastfetch
-    git
-    helix
-    killall
-    sysz
-    tmux
-    wget
-  ];
-
-  programs = {
-    fish.enable = true;
-    command-not-found.enable = false;
-  };
-}

hosts/desktops/common/default.nix

@@ -1,16 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./boot.nix
-    ./hardware.nix
-    ./home-manager.nix
-    ./impermanence.nix
-    ./nix.nix
-    ./packages.nix
-    ./services.nix
-    ./stylix.nix
-    ./users.nix
-    ./virtualisation.nix
-  ];
-}

hosts/desktops/common/hardware.nix

@@ -1,13 +0,0 @@
-{ ... }:
-
-{
-  hardware = {
-    xpadneo.enable = true;
-    bluetooth.enable = true;
-    steam-hardware.enable = true; # Allow steam client to manage controllers
-    graphics.enable32Bit = true; # For OpenGL games
-    i2c.enable = true;
-  };
-
-  security.rtkit.enable = true; # Needed for pipewire to acquire realtime priority
-}

hosts/desktops/common/home-manager.nix

@@ -1,10 +0,0 @@
-{ ... }:
-
-{
-  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    backupFileExtension = "bkp";
-    users.user = import ../../../users/desktops/user.nix;
-  };
-}

hosts/desktops/common/packages.nix

@@ -1,137 +0,0 @@
-{ inputs, pkgs, ... }:
-let
-  kdepkgs = with pkgs.kdePackages; [
-    ark
-    dolphin-plugins
-    kolourpaint
-  ];
-  kwrite = pkgs.symlinkJoin {
-    name = "kwrite";
-    paths = [ pkgs.kdePackages.kate ];
-    postBuild = ''
-      rm -rf $out/bin/kate \
-             $out/bin/.kate-wrapped \
-             $out/share/applications/org.kde.kate.desktop \
-             $out/share/man \
-             $out/share/icons/hicolor/*/apps/kate.png \
-             $out/share/icons/hicolor/scalable/apps/kate.svg \
-             $out/share/appdata/org.kde.kate.appdata.xml
-    '';
-  };
-in
-{
-  environment.systemPackages =
-    with pkgs;
-    [
-      adwaita-icon-theme
-      aspell
-      aspellDicts.de
-      aspellDicts.en
-      aspellDicts.en-computers
-      aspellDicts.pt_BR
-      bat
-      bitwarden-desktop
-      clonehero
-      deploy-rs
-      distrobox
-      fd
-      firefox
-      freecad-wayland
-      fzf
-      gimp
-      heroic
-      inkscape
-      junction
-      kara
-      kde-rounded-corners
-      kwrite
-      libfido2
-      libreoffice-qt
-      # lilipod BROKEN
-      mangohud
-      microsoft-edge
-      mission-center
-      mpv
-      nextcloud-client
-      nixfmt-rfc-style
-      nixos-firewall-tool
-      nix-init
-      nix-output-monitor
-      obsidian
-      obs-studio
-      orca-slicer
-      p7zip
-      plasma-panel-colorizer
-      plasticity
-      protonup
-      quickemu
-      quickgui
-      qview
-      qbittorrent
-      ripgrep
-      rnote
-      steam-run
-      tor-browser
-      ungoogled-chromium
-      unrar
-      ventoy
-      vesktop
-    ]
-    ++ kdepkgs;
-
-  services.flatpak = {
-    enable = true;
-    packages = [
-      "com.github.k4zmu2a.spacecadetpinball"
-      "com.github.tchx84.Flatseal"
-      "com.modrinth.ModrinthApp"
-      "com.steamgriddb.SGDBoop"
-      "app.zen_browser.zen"
-      "io.github.Foldex.AdwSteamGtk"
-      "io.itch.itch"
-      "org.freedesktop.Platform.VulkanLayer.MangoHud/x86_64/24.08"
-    ];
-    uninstallUnmanaged = true;
-    update.auto.enable = true;
-  };
-
-  programs = {
-    adb.enable = true;
-    steam.enable = true;
-    dconf.enable = true;
-    nix-ld.enable = true;
-    kdeconnect.enable = true;
-    partition-manager.enable = true;
-    gamemode.enable = true;
-    nix-index-database.comma.enable = true;
-    appimage = {
-      enable = true;
-      binfmt = true;
-    };
-    nh = {
-      enable = true;
-      flake = "/home/user/Projects/personal/nix-config";
-    };
-  };
-
-  fonts = {
-    fontDir.enable = true;
-    packages = with pkgs; [
-      corefonts
-      noto-fonts-cjk-sans
-      roboto
-    ];
-  };
-
-  environment.plasma6.excludePackages = (
-    with pkgs.kdePackages;
-    [
-      discover
-      elisa
-      gwenview
-      kate
-      khelpcenter
-      oxygen
-    ]
-  );
-}

hosts/desktops/common/services.nix

@@ -1,61 +0,0 @@
-{
-  inputs,
-  config,
-  pkgs,
-  ...
-}:
-
-{
-  services = {
-    printing.enable = true;
-    udev.packages = with pkgs; [ yubikey-personalization ];
-    desktopManager.plasma6.enable = true;
-    tailscale.useRoutingFeatures = "client";
-    nginx = {
-      enable = true;
-      virtualHosts."localhost".root = inputs.homepage;
-    };
-    pipewire = {
-      enable = true;
-      alsa.enable = true;
-      alsa.support32Bit = true;
-      pulse.enable = true;
-      jack.enable = true;
-      wireplumber.enable = true;
-    };
-    greetd = {
-      enable = true;
-      settings = {
-        default_session.command =
-          let
-            xSessions = "${config.services.displayManager.sessionData.desktops}/share/xsessions";
-            wlSessions = "${config.services.displayManager.sessionData.desktops}/share/wayland-sessions";
-          in
-          ''
-            ${pkgs.greetd.tuigreet}/bin/tuigreet \
-            --remember \
-            --asterisks \
-            --time \
-            --greeting "NixOS" \
-            --sessions ${xSessions}:${wlSessions}
-          '';
-        initial_session = {
-          command = ''
-            ${pkgs.kdePackages.plasma-workspace}/bin/startplasma-wayland &> /dev/null
-          '';
-          user = "user";
-        };
-      };
-    };
-  };
-
-  xdg.portal = {
-    enable = true;
-    xdgOpenUsePortal = true;
-    extraPortals = with pkgs; [
-      xdg-desktop-portal-kde
-      xdg-desktop-portal-gtk
-      xdg-desktop-portal-gnome
-    ];
-  };
-}

hosts/desktops/common/users.nix

@@ -1,20 +0,0 @@
-{ ... }:
-
-{
-  environment.sessionVariables = rec {
-    KDEHOME = "$XDG_CONFIG_HOME/kde4"; # Stops kde from placing a .kde4 folder in the home dir
-    NIXOS_OZONE_WL = "1"; # Forces chromium and most electron apps to run in wayland
-  };
-
-  users.users.user = {
-    description = "William";
-    extraGroups = [
-      "uaccess" # Needed for HID dev
-      "dialout" # Needed for arduino dev
-      "libvirt"
-      "libvirtd"
-      "adbusers"
-      "i2c"
-    ];
-  };
-}

hosts/desktops/common/virtualisation.nix

@@ -1,8 +0,0 @@
-{ ... }:
-
-{
-  virtualisation = {
-    libvirtd.enable = true;
-    lxd.enable = true;
-  };
-}

hosts/desktops/io/default.nix

@@ -1,8 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./ephermal.nix
-    ./hardware-configuration.nix
-  ];
-}

hosts/desktops/io/ephermal.nix

@@ -1,46 +0,0 @@
-{ ... }:
-
-{
-  boot.initrd.systemd.services.recreate-root = {
-    description = "Rolling over and creating new filesystem root";
-    requires = [ "initrd-root-device.target" ];
-    after = [
-      "local-fs-pre.target"
-      "initrd-root-device.target"
-    ];
-    requiredBy = [ "initrd-root-fs.target" ];
-    before = [ "sysroot.mount" ];
-    unitConfig = {
-      AssertPathExists = "/etc/initrd-release";
-      DefaultDependencies = false;
-    };
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      mkdir /btrfs_tmp
-      mount /dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f /btrfs_tmp
-      if [[ -e /btrfs_tmp/@root ]]; then
-        mkdir -p /btrfs_tmp/old_roots
-        timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/@root)" "+%Y-%m-%-d_%H:%M:%S")
-        mv /btrfs_tmp/@root "/btrfs_tmp/old_roots/$timestamp"
-      fi
-
-      delete_subvolume_recursively() {
-        IFS=$'\n'
-        for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
-          delete_subvolume_recursively "/btrfs_tmp/$i"
-        done
-        btrfs subvolume delete "$1"
-      }
-
-      for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
-        delete_subvolume_recursively "$i"
-      done
-
-      btrfs subvolume create /btrfs_tmp/@root
-      umount /btrfs_tmp
-    '';
-  };
-}

hosts/desktops/io/hardware-configuration.nix

@@ -1,83 +0,0 @@
-{
-  config,
-  lib,
-  modulesPath,
-  ...
-}:
-
-{
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
-
-  boot = {
-    initrd = {
-      availableKernelModules = [
-        "xhci_pci"
-        "ahci"
-        "usb_storage"
-        "sd_mod"
-        "sdhci_pci"
-      ];
-      luks.devices."enc" = {
-        device = "/dev/disk/by-uuid/8018720e-42dd-453c-b374-adaa02eb48c9";
-        keyFile = "/dev/disk/by-partuuid/cbc7e305-d32d-4250-b6ae-6a8264ea096e";
-      };
-    };
-    kernelModules = [ "kvm-intel" ];
-  };
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f";
-      fsType = "btrfs";
-      options = [
-        "subvol=@root"
-        "noatime"
-        "compress=zstd"
-      ];
-    };
-    "/home" = {
-      device = "/dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f";
-      fsType = "btrfs";
-      options = [
-        "subvol=@home"
-        "noatime"
-        "compress=zstd"
-      ];
-    };
-    "/nix" = {
-      device = "/dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f";
-      fsType = "btrfs";
-      options = [
-        "subvol=@nix"
-        "noatime"
-        "compress=zstd"
-      ];
-    };
-    "/persistent" = {
-      device = "/dev/disk/by-uuid/3638cea6-5503-43cc-aa4f-3d37ebedad2f";
-      fsType = "btrfs";
-      options = [
-        "subvol=@persistent"
-        "noatime"
-        "compress=zstd"
-      ];
-    };
-    "/boot/efi" = {
-      device = "/dev/disk/by-uuid/31C9-08FF";
-      fsType = "vfat";
-      options = [
-        "noatime"
-        "fmask=0077"
-        "dmask=0077"
-      ];
-    };
-  };
-
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
-
-  networking.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-
-  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-}

hosts/desktops/rotterdam.nix

@@ -1,90 +0,0 @@
-{ pkgs, ... }:
-
-let
-  qubesnsh = pkgs.writeTextFile {
-    name = "qubes.nsh";
-    text = "HD1f65535a1:EFI\\qubes\\grubx64.efi";
-  };
-
-  reboot-into-qubes = pkgs.makeDesktopItem {
-    name = "reboot-into-qubes";
-    icon = pkgs.fetchurl {
-      url = "https://raw.githubusercontent.com/vinceliuice/Qogir-icon-theme/31f267e1f5fd4e9596bfd78dfb41a03d3a9f33ee/src/scalable/apps/distributor-logo-qubes.svg";
-      sha256 = "sha256-QbHr7s5Wcs7uFtfqZctMyS0iDbMfiiZOKy2nHhDOfn0=";
-    };
-    desktopName = "Qubes OS";
-    genericName = "Reboot into Qubes OS";
-    categories = [ "System" ];
-    startupNotify = true;
-    exec = pkgs.writeShellScript "reboot-into-qubes" ''
-      ${pkgs.yad}/bin/yad --form \
-                          --title="Qubes OS" \
-                          --image distributor-logo-qubes \
-                          --text "Are you sure you want to reboot into Qubes OS?" \
-                          --button="Yes:0" --button="Cancel:1"
-      if [ $? -eq 0 ]; then
-        systemctl reboot --boot-loader-entry=qubes.conf
-      fi
-    '';
-  };
-in
-{
-  imports = [
-    # Host-common imports
-    ../common
-    # Desktop-common imports
-    ./common
-    # Host-specific imports
-    ./rotterdam
-  ];
-
-  networking.hostName = "rotterdam";
-
-  services = {
-    flatpak.packages = [ "net.retrodeck.retrodeck" ];
-    keyd = {
-      enable = true;
-      keyboards.main = {
-        ids = [ "5653:0001" ];
-        settings.main = {
-          esc = "overload(meta, esc)";
-        };
-      };
-    };
-  };
-
-  environment.systemPackages = with pkgs; [ reboot-into-qubes ];
-
-  # hardware.graphics.extraPackages = with pkgs; [ rocmPackages.clr.icd ];
-
-  systemd.targets.hibernate.enable = false; # disable non-functional hibernate
-
-  nix.nixPath = [ "nixos-config=${./rotterdam.nix}" ];
-
-  boot = {
-    kernelParams = [
-      "processor.max_cstate=1" # Fixes bug where ryzen cpus freeze when in highest C state
-      "clearcpuid=514"
-      # Fixes amdgpu freezing
-      "amdgpu.noretry=0"
-      "amdgpu.ppfeaturemask=0xfffd3fff"
-      "amdgpu.gpu_recovery=1"
-      "amdgpu.lockup_timeout=1000"
-    ];
-    # QubesOS boot entry
-    loader.systemd-boot = {
-      extraFiles = {
-        "efi/edk2-shell/shell.efi" = "${pkgs.edk2-uefi-shell}/shell.efi";
-        "qubes.nsh" = qubesnsh;
-      };
-      extraEntries."qubes.conf" = ''
-        title Qubes OS
-        efi /efi/edk2-shell/shell.efi
-        options -nointerrupt qubes.nsh
-        sort-key ab
-      '';
-    };
-  };
-
-  programs.steam.dedicatedServer.openFirewall = true;
-}

hosts/desktops/rotterdam/default.nix

@@ -1,8 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-    ./ephermal.nix
-  ];
-}

hosts/desktops/rotterdam/ephermal.nix

@@ -1,47 +0,0 @@
-{ ... }:
-
-{
-  boot.initrd.systemd.services.recreate-root = {
-    description = "Rolling over and creating new filesystem root";
-    requires = [ "initrd-root-device.target" ];
-    after = [
-      "local-fs-pre.target"
-      "initrd-root-device.target"
-    ];
-    requiredBy = [ "initrd-root-fs.target" ];
-    before = [ "sysroot.mount" ];
-    unitConfig = {
-      AssertPathExists = "/etc/initrd-release";
-      DefaultDependencies = false;
-    };
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    script = ''
-      mkdir /btrfs_tmp
-      mount /dev/disk/by-uuid/3287dbc3-c0fa-4096-a0b3-59b017cfecc8 /btrfs_tmp
-
-      if [[ -e /btrfs_tmp/@root ]]; then
-        mkdir -p /btrfs_tmp/old_roots
-        timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/@root)" "+%Y-%m-%-d_%H:%M:%S")
-        mv /btrfs_tmp/@root "/btrfs_tmp/old_roots/$timestamp"
-      fi
-
-      delete_subvolume_recursively() {
-        IFS=$'\n'
-        for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
-           delete_subvolume_recursively "/btrfs_tmp/$i"
-        done
-        btrfs subvolume delete "$1"
-      }
-
-      for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
-        delete_subvolume_recursively "$i"
-      done
-
-      btrfs subvolume create /btrfs_tmp/@root
-      umount /btrfs_tmp
-    '';
-  };
-}

hosts/io/boot.nix

@@ -0,0 +1,14 @@
+{
+  boot = {
+    # TODO check if future kernel versions fix boot issue with systemd initrd with tpm
+    initrd.systemd.tpm2.enable = false;
+    kernelParams = [
+      "nosgx"
+      "i915.fastboot=1"
+      "mem_sleep_default=deep"
+    ];
+    extraModprobeConfig = ''
+      options snd-intel-dspcfg dsp_driver=3
+    '';
+  };
+}

hosts/io/disko.nix

@@ -0,0 +1,79 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.disko.nixosModules.default ];
+
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/disk/by-id/mmc-hDEaP3_0x1041b689";
+    content = {
+      type = "gpt";
+      partitions = {
+        ESP = {
+          priority = 1;
+          name = "ESP";
+          start = "1MiB";
+          end = "1GiB";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot/efi";
+            mountOptions = [
+              "noatime"
+              "fmask=0077"
+              "dmask=0077"
+            ];
+          };
+        };
+        cryptroot = {
+          priority = 2;
+          name = "root";
+          size = "100%";
+          content = {
+            type = "luks";
+            name = "cryptroot";
+            content = {
+              type = "btrfs";
+              extraArgs = [ "-f" ];
+              subvolumes = {
+                "@root" = {
+                  mountpoint = "/";
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                    "subvol=@root"
+                  ];
+                };
+                "@home" = {
+                  mountpoint = "/home";
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                    "subvol=@home"
+                  ];
+                };
+                "@nix" = {
+                  mountpoint = "/nix";
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                    "subvol=@nix"
+                  ];
+                };
+                "@persistent" = {
+                  mountpoint = "/persistent";
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                    "subvol=@persistent"
+                  ];
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/io/hardware-configuration.nix

@@ -0,0 +1,37 @@
+{
+  config,
+  lib,
+  modulesPath,
+  inputs,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "ahci"
+        "usb_storage"
+        "sd_mod"
+        "sdhci_pci"
+      ];
+    };
+    kernelModules = [ "kvm-intel" ];
+  };
+
+  zramSwap = {
+    enable = true;
+    memoryPercent = 100;
+  };
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/io/programs.nix

@@ -0,0 +1,27 @@
+{ pkgs, ... }:
+
+let
+  cml-ucm-conf = pkgs.alsa-ucm-conf.overrideAttrs {
+    wttsrc = pkgs.fetchFromGitHub {
+      owner = "WeirdTreeThing";
+      repo = "chromebook-ucm-conf";
+      rev = "b6ce2a7";
+      hash = "sha256-QRUKHd3RQmg1tnZU8KCW0AmDtfw/daOJ/H3XU5qWTCc=";
+    };
+    postInstall = ''
+      echo "v0.4.1" > $out/chromebook.patched
+      cp -R $wttsrc/{common,codecs,platforms} $out/share/alsa/ucm2
+      cp -R $wttsrc/{cml,sof-rt5682} $out/share/alsa/ucm2/conf.d
+    '';
+  };
+in
+
+{
+  environment = {
+    systemPackages = with pkgs; [
+      maliit-keyboard
+      sof-firmware
+    ];
+    sessionVariables.ALSA_CONFIG_UCM2 = "${cml-ucm-conf}/share/alsa/ucm2";
+  };
+}

hosts/io/services.nix

@@ -1,67 +1,6 @@
 { pkgs, ... }:
 
-let
-  cml-ucm-conf = pkgs.alsa-ucm-conf.overrideAttrs {
-    wttsrc = pkgs.fetchFromGitHub {
-      owner = "WeirdTreeThing";
-      repo = "chromebook-ucm-conf";
-      rev = "b6ce2a7";
-      hash = "sha256-QRUKHd3RQmg1tnZU8KCW0AmDtfw/daOJ/H3XU5qWTCc=";
-    };
-    postInstall = ''
-      echo "v0.4.1" > $out/chromebook.patched
-      cp -R $wttsrc/{common,codecs,platforms} $out/share/alsa/ucm2
-      cp -R $wttsrc/{cml,sof-rt5682} $out/share/alsa/ucm2/conf.d
-    '';
-  };
-in
 {
-  imports = [
-    # Host-common imports
-    ../common
-    # Desktop-common imports
-    ./common
-    # Host-specific imports
-    ./io
-  ];
-
-  networking.hostName = "io";
-
-  nix.nixPath = [ "nixos-config=${./io.nix}" ];
-
-  zramSwap = {
-    enable = true;
-    memoryPercent = 100;
-  };
-
-  boot = {
-    # TODO check if future kernel versions fix boot issue with systemd initrd with tpm
-    initrd.systemd.tpm2.enable = false;
-    kernelParams = [
-      "nosgx"
-      "i915.fastboot=1"
-      "mem_sleep_default=deep"
-    ];
-    extraModprobeConfig = ''
-      options snd-intel-dspcfg dsp_driver=3
-    '';
-  };
-
-  environment = {
-    systemPackages = with pkgs; [
-      maliit-keyboard
-      sof-firmware
-    ];
-    sessionVariables.ALSA_CONFIG_UCM2 = "${cml-ucm-conf}/share/alsa/ucm2";
-  };
-
-  # TODO: remove once gmodena/nix-flatpak/issues/45 fixed
-  systemd.services."flatpak-managed-install" = {
-    serviceConfig = {
-      ExecStartPre = "${pkgs.coreutils}/bin/sleep 5";
-    };
-  };
-
   services = {
     keyd = {
       enable = true;
@@ -100,7 +39,7 @@ in
             f9 = "f10";
             f10 = "f11";
             f13 = "f12";
-            u = "sysrq";
+            y = "sysrq";
             k = "home";
             l = "pageup";
             "," = "end";
@@ -109,5 +48,14 @@ in
         };
       };
     };
+    upower.enable = true;
+    power-profiles-daemon.enable = true;
+  };
+
+  # TODO: remove once gmodena/nix-flatpak/issues/45 fixed
+  systemd.services."flatpak-managed-install" = {
+    serviceConfig = {
+      ExecStartPre = "${pkgs.coreutils}/bin/sleep 5";
+    };
   };
 }

hosts/modules/ai.nix

@@ -0,0 +1,10 @@
+{ inputs, pkgs, ... }:
+
+{
+  environment.systemPackages = with inputs.nix-ai-tools.packages.${pkgs.system}; [
+    claude-desktop
+    claude-code
+    claudebox
+    opencode
+  ];
+}

hosts/modules/bluetooth.nix

@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  hardware.bluetooth.enable = true;
+}

hosts/modules/common/boot.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 
 {
   boot = {

hosts/modules/common/firewall.nix

@@ -2,7 +2,7 @@
 
 {
   networking = {
-    networkmanager.enable = true;
     firewall.enable = true;
+    nftables.enable = true;
   };
 }

hosts/modules/common/locale.nix

@@ -7,6 +7,7 @@
     defaultLocale = "en_US.UTF-8";
     extraLocaleSettings = {
       LC_ADDRESS = "pt_BR.utf8";
+      LC_COLLATE = "pt_BR.utf8";
       LC_IDENTIFICATION = "pt_BR.utf8";
       LC_MEASUREMENT = "pt_BR.utf8";
       LC_MONETARY = "pt_BR.utf8";

hosts/modules/common/nix.nix

@@ -1,6 +1,8 @@
-{ ... }:
+{ inputs, ... }:
 
 {
+  imports = [ inputs.nixos-cli.nixosModules.nixos-cli ];
+
   nix = {
     settings = {
       auto-optimise-store = true;
@@ -24,5 +26,13 @@
     buildDocs = false;
   };
 
+  services.nixos-cli = {
+    enable = true;
+    config = {
+      use_nvd = true;
+      ignore_dirty_tree = true;
+    };
+  };
+
   system.stateVersion = "22.11";
 }

hosts/modules/common/openssh.nix

@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "no";
+    extraConfig = ''
+      PrintLastLog no
+    '';
+  };
+}

hosts/modules/common/programs.nix

@@ -0,0 +1,40 @@
+{ lib, pkgs, ... }:
+
+{
+  environment = {
+    systemPackages = with pkgs; [
+      ### Dev Tools ###
+      git
+      ### System Utilities ###
+      btop
+      fastfetch
+      helix
+      nixos-firewall-tool
+      nvd
+      sysz
+      tmux
+      wget
+      yazi
+    ];
+    shellAliases = {
+      cat = "${lib.getExe pkgs.bat} --paging=never --style=plain";
+      ls = "${lib.getExe pkgs.eza} --icons --group-directories-first";
+      tree = "ls --tree";
+    };
+  };
+
+  programs = {
+    command-not-found.enable = false;
+    fish = {
+      enable = true;
+      interactiveShellInit = ''
+        set fish_greeting
+        if set -q SSH_CONNECTION
+          export TERM=xterm-256color
+          clear
+          fastfetch
+        end
+      '';
+    };
+  };
+}

hosts/modules/common/services.nix

@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  services = {
+    dbus.implementation = "broker";
+    irqbalance.enable = true;
+    fstrim.enable = true;
+  };
+}

hosts/modules/common/tailscale.nix

@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  services.tailscale = {
+    enable = true;
+    extraUpFlags = [ "--operator=user" ];
+  };
+}

hosts/modules/common/users.nix

@@ -7,21 +7,17 @@
       shell = pkgs.fish;
       extraGroups = [
         "networkmanager"
-        "docker"
         "wheel"
       ];
       openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcwF1yuWEfYGScNocEbs0AmGxyTIzGc4/IhpU587SJE"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
       ];
       hashedPassword = "$6$Pj7v/CpstyuWQQV0$cNujVDhfMBdwlGVEnnd8t71.kZPixbo0u25cd.874iaqLTH4V5fa1f98V5zGapjQCz5JyZmsR94xi00sUrntT0";
     };
     root = {
       shell = pkgs.fish;
-      openssh.authorizedKeys.keys = [
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcwF1yuWEfYGScNocEbs0AmGxyTIzGc4/IhpU587SJE"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL"
-      ];
       hashedPassword = "!";
     };
   };

hosts/modules/desktop/desktop.nix

@@ -0,0 +1,163 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    inputs.niri-flake.nixosModules.niri
+    inputs.nix-flatpak.nixosModules.nix-flatpak
+  ];
+
+  environment = {
+    sessionVariables = {
+      KDEHOME = "$XDG_CONFIG_HOME/kde4"; # Stops kde from placing a .kde4 folder in the home dir
+      NIXOS_OZONE_WL = "1"; # Forces chromium and most electron apps to run in wayland
+    };
+    systemPackages = with pkgs; [
+      ### Web ###
+      bitwarden-desktop
+      fragments
+      nextcloud-client
+      tor-browser
+      vesktop
+      inputs.zen-browser.packages."${system}".default
+      ### Office & Productivity ###
+      aspell
+      aspellDicts.de
+      aspellDicts.en
+      aspellDicts.en-computers
+      aspellDicts.pt_BR
+      libreoffice
+      onlyoffice-desktopeditors
+      papers
+      presenterm
+      rnote
+      ### Graphics & Design ###
+      gimp
+      inkscape
+      plasticity
+      ### System Utilities ###
+      adwaita-icon-theme
+      ghostty
+      gnome-disk-utility
+      junction
+      libfido2
+      mission-center
+      nautilus
+      p7zip
+      rclone
+      toggleaudiosink
+      unrar
+      ### Media ###
+      decibels
+      loupe
+      obs-studio
+      showtime
+    ];
+  };
+
+  services = {
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+      wireplumber.enable = true;
+    };
+    greetd = {
+      enable = true;
+      settings = {
+        default_session = {
+          command = "${lib.getExe pkgs.tuigreet} --user-menu --time --remember --asterisks --cmd ${config.programs.niri.package}/bin/niri-session";
+          user = "greeter";
+        };
+      }
+      // lib.optionalAttrs (config.networking.hostName == "io") {
+        initial_session = {
+          command = "${config.programs.niri.package}/bin/niri-session";
+          user = "user";
+        };
+      };
+    };
+    flatpak = {
+      enable = true;
+      packages = [
+        ### Graphics & Design ###
+        "com.boxy_svg.BoxySVG"
+        rec {
+          appId = "io.github.softfever.OrcaSlicer";
+          sha256 = "0hdx5sg6fknj1pfnfxvlfwb5h6y1vjr6fyajbsnjph5gkp97c6p1";
+          bundle = "${pkgs.fetchurl {
+            url = "https://github.com/SoftFever/OrcaSlicer/releases/download/v2.3.0/OrcaSlicer-Linux-flatpak_V2.3.0_x86_64.flatpak";
+            inherit sha256;
+          }}";
+        }
+        ### System Utilities ###
+        "com.github.tchx84.Flatseal"
+        "com.rustdesk.RustDesk"
+      ];
+      uninstallUnmanaged = true;
+      update.auto.enable = true;
+    };
+    gvfs.enable = true;
+  };
+
+  security.rtkit.enable = true; # Needed for pipewire to acquire realtime priority
+
+  users = {
+    users.greeter = {
+      isSystemUser = true;
+      group = "greeter";
+    };
+    groups.greeter = { };
+  };
+
+  programs = {
+    niri = {
+      enable = true;
+      package = inputs.niri.packages.${pkgs.system}.niri;
+    };
+    kdeconnect = {
+      enable = true;
+      package = pkgs.valent;
+    };
+    dconf.enable = true;
+    appimage = {
+      enable = true;
+      binfmt = true;
+    };
+  };
+
+  niri-flake.cache.enable = false;
+
+  fonts = {
+    fontDir.enable = true;
+    packages = with pkgs; [
+      corefonts
+      inter
+      nerd-fonts.fira-code
+      noto-fonts-cjk-sans
+      noto-fonts-color-emoji
+      roboto
+    ];
+  };
+
+  xdg.portal = {
+    extraPortals = with pkgs; [
+      xdg-desktop-portal-gnome
+      xdg-desktop-portal-gtk
+    ];
+    config = {
+      common.default = "*";
+      niri.default = [
+        "gtk"
+        "gnome"
+      ];
+    };
+  };
+}

hosts/modules/desktop/services.nix

@@ -1,14 +1,9 @@
-{ ... }:
+{ pkgs, ... }:
 
 {
   services = {
-    fwupd.enable = true;
-    fstrim.enable = true;
-    tailscale = {
-      enable = true;
-      extraUpFlags = [ "--operator=user" ];
-    };
-    openssh.enable = true;
+    printing.enable = true;
+    udev.packages = with pkgs; [ yubikey-personalization ];
     keyd = {
       enable = true;
       keyboards.all = {

hosts/modules/dev.nix

@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    bat
+    lazygit
+    fd
+    fzf
+    glow
+    nixfmt-rfc-style
+    nix-init
+    nix-output-monitor
+    ripgrep
+  ];
+
+  programs.adb.enable = true;
+
+  users.users.user.extraGroups = [ "adbusers" ];
+}

hosts/modules/ephemeral.nix

@@ -1,6 +1,21 @@
-{ ... }:
+{ config, inputs, ... }:
 
 {
+  imports = [
+    inputs.impermanence.nixosModules.impermanence
+    inputs.self.nixosModules.ephemeral
+  ];
+
+  ephemeral = {
+    enable = true;
+    rootDevice =
+      if config.networking.hostName == "trantor" then
+        "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20-part2"
+      else
+        "/dev/mapper/cryptroot";
+    rootSubvolume = "@root";
+  };
+
   environment.persistence.main = {
     persistentStoragePath = "/persistent";
     files = [
@@ -11,13 +26,16 @@
       "/etc/ssh/ssh_host_rsa_key.pub"
     ];
     directories = [
-      "/var/log"
-      "/var/lib/bluetooth"
-      "/var/lib/nixos"
-      "/var/lib/flatpak"
-      "/var/lib/tailscale"
-      "/var/lib/systemd/coredump"
       "/etc/NetworkManager/system-connections"
+      "/etc/nixos"
+      "/var/lib/bluetooth"
+      "/var/lib/flatpak"
+      "/var/lib/lxd"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+      "/var/lib/systemd/timers"
+      "/var/lib/tailscale"
+      "/var/log"
     ];
   };
 }

hosts/modules/fwupd.nix

@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  services.fwupd.enable = true;
+}

hosts/modules/gaming.nix

@@ -0,0 +1,35 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    clonehero
+    heroic
+    mangohud
+    prismlauncher
+    steam-run
+  ];
+
+  programs = {
+    steam = {
+      enable = true;
+      extraCompatPackages = [ pkgs.proton-ge-bin ];
+    };
+    gamemode.enable = true;
+  };
+
+  hardware = {
+    xpadneo.enable = true;
+    steam-hardware.enable = true; # Allow steam client to manage controllers
+    graphics.enable32Bit = true; # For OpenGL games
+  };
+
+  services.flatpak.packages = [
+    "com.github.k4zmu2a.spacecadetpinball"
+    "com.steamgriddb.SGDBoop"
+    "io.github.Foldex.AdwSteamGtk"
+    "io.itch.itch"
+    "io.mrarm.mcpelauncher"
+    "net.retrodeck.retrodeck"
+    "org.freedesktop.Platform.VulkanLayer.MangoHud/x86_64/24.08"
+  ];
+}

hosts/modules/libvirtd.nix

@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+  virtualisation.libvirtd.enable = true;
+
+  programs.virt-manager.enable = true;
+
+  users.users.user.extraGroups = [
+    "libvirt"
+    "libvirtd"
+  ];
+}

hosts/modules/networkmanager.nix

@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  networking.networkmanager = {
+    enable = true;
+    wifi.backend = "iwd";
+  };
+
+  users.users.user.extraGroups = [ "networkmanager" ];
+}

hosts/modules/podman.nix

@@ -3,7 +3,6 @@
 {
   virtualisation.podman = {
     enable = true;
-    dockerCompat = true;
     autoPrune.enable = true;
     extraPackages = [ pkgs.podman-compose ];
   };

hosts/modules/server/tailscale.nix

@@ -5,4 +5,9 @@
     extraSetFlags = [ "--advertise-exit-node" ];
     useRoutingFeatures = "server";
   };
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv6.conf.all.forwarding" = 1;
+  };
 }

hosts/rotterdam/boot.nix

@@ -0,0 +1,31 @@
+{ pkgs, ... }:
+
+let
+  qubesnsh = pkgs.writeTextFile {
+    name = "qubes.nsh";
+    text = "HD1f65535a1:EFI\\qubes\\grubx64.efi";
+  };
+in
+
+{
+  boot = {
+    kernelParams = [
+      "processor.max_cstate=1" # Fixes bug where ryzen cpus freeze when in highest C state
+      "clearcpuid=514"
+      "amdgpu.ppfeaturemask=0xfffd3fff" # Fixes amdgpu freezing
+    ];
+    # QubesOS boot entry
+    loader.systemd-boot = {
+      extraFiles = {
+        "efi/edk2-shell/shell.efi" = "${pkgs.edk2-uefi-shell}/shell.efi";
+        "qubes.nsh" = qubesnsh;
+      };
+      extraEntries."qubes.conf" = ''
+        title Qubes OS
+        efi /efi/edk2-shell/shell.efi
+        options -nointerrupt qubes.nsh
+        sort-key ab
+      '';
+    };
+  };
+}

hosts/rotterdam/hardware-configuration.nix

@@ -72,17 +72,7 @@
         "compress=zstd"
       ];
     };
-    "/swap" = {
-      device = "/dev/disk/by-uuid/3287dbc3-c0fa-4096-a0b3-59b017cfecc8";
-      fsType = "btrfs";
-      options = [
-        "subvol=@swap"
-        "noatime"
-      ];
   };
-  };
-
-  swapDevices = [ { device = "/swap/swapfile"; } ];
 
   networking.useDHCP = lib.mkDefault true;
 

hosts/rotterdam/hardware.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+
+{
+  hardware = {
+    amdgpu.opencl.enable = true;
+    graphics.extraPackages = with pkgs; [ rocmPackages.clr.icd ];
+  };
+}

hosts/rotterdam/programs.nix

@@ -0,0 +1,31 @@
+{ pkgs, ... }:
+
+let
+  reboot-into-qubes = pkgs.makeDesktopItem {
+    name = "reboot-into-qubes";
+    icon = pkgs.fetchurl {
+      url = "https://raw.githubusercontent.com/vinceliuice/Qogir-icon-theme/31f267e1f5fd4e9596bfd78dfb41a03d3a9f33ee/src/scalable/apps/distributor-logo-qubes.svg";
+      sha256 = "sha256-QbHr7s5Wcs7uFtfqZctMyS0iDbMfiiZOKy2nHhDOfn0=";
+    };
+    desktopName = "Qubes OS";
+    genericName = "Reboot into Qubes OS";
+    categories = [ "System" ];
+    startupNotify = true;
+    exec = pkgs.writeShellScript "reboot-into-qubes" ''
+      ${pkgs.yad}/bin/yad --form \
+                          --title="Qubes OS" \
+                          --image distributor-logo-qubes \
+                          --text "Are you sure you want to reboot into Qubes OS?" \
+                          --button="Yes:0" --button="Cancel:1"
+      if [ $? -eq 0 ]; then
+        systemctl reboot --boot-loader-entry=qubes.conf
+      fi
+    '';
+  };
+in
+
+{
+  environment.systemPackages = [ reboot-into-qubes ];
+
+  programs.steam.dedicatedServer.openFirewall = true;
+}

hosts/rotterdam/services.nix

@@ -0,0 +1,11 @@
+{
+  services.keyd = {
+    enable = true;
+    keyboards.main = {
+      ids = [ "5653:0001" ];
+      settings.main = {
+        esc = "overload(meta, esc)";
+      };
+    };
+  };
+}

hosts/servers/alexandria.nix

@@ -1,34 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    # Host-common imports
-    ../common
-    # Server-common imports
-    ./common
-    # Host-specific imports
-    ./alexandria
-  ];
-
-  nix.nixPath = [ "nixos-config=${./alexandria.nix}" ];
-
-  swapDevices = [
-    {
-      device = "/swapfile";
-      size = 8192;
-    }
-  ];
-
-  networking = {
-    hostName = "alexandria";
-    firewall = {
-      allowedTCPPorts = [
-        80
-        443
-        8010
-        9666
-      ];
-      allowedUDPPorts = [ 24454 ];
-    };
-  };
-}

hosts/servers/alexandria/changedetection.nix

@@ -1,20 +0,0 @@
-{ config, lib, ... }:
-
-{
-  services = {
-    changedetection-io = {
-      enable = true;
-      behindProxy = true;
-      datastorePath = "/data/changedetection";
-      port = lib.toInt "${config.ports.changedetection-io}";
-      baseURL = "https://detect.baduhai.dev";
-    };
-
-    nginx.virtualHosts."detect.baduhai.dev" = {
-      useACMEHost = "baduhai.dev";
-      forceSSL = true;
-      kTLS = true;
-      locations."/".proxyPass = "http://127.0.0.1:${config.ports.changedetection-io}";
-    };
-  };
-}

hosts/servers/alexandria/cinny.nix

@@ -1,23 +0,0 @@
-{ config, ... }:
-
-{
-  virtualisation.oci-containers.containers."cinny" = {
-    image = "ghcr.io/cinnyapp/cinny:latest";
-    ports = [ "${config.ports.cinny}:80" ];
-    environment = {
-      TZ = "America/Bahia";
-    };
-    volumes = [ "/data/matrix/cinny-config.json:/app/config.json" ];
-    extraOptions = [
-      "--pull=newer"
-      "--label=io.containers.autoupdate=registry"
-    ];
-  };
-
-  services.nginx.virtualHosts."matrix.baduhai.dev" = {
-    useACMEHost = "baduhai.dev";
-    forceSSL = true;
-    kTLS = true;
-    locations."/".proxyPass = "http://127.0.0.1:${config.ports.cinny}";
-  };
-}

hosts/servers/alexandria/default.nix

@@ -1,51 +0,0 @@
-{ lib, ... }:
-
-let
-  mkStringOption =
-    default:
-    lib.mkOption {
-      inherit default;
-      type = lib.types.str;
-    };
-
-in
-
-{
-  imports = [
-    ./changedetection.nix
-    ./cinny.nix
-    ./forgejo.nix
-    ./hardware-configuration.nix
-    ./jellyfin.nix
-    ./librespeed.nix
-    ./memos.nix
-    ./minecraft.nix
-    ./nextcloud.nix
-    ./nginx.nix
-    ./paperless.nix
-    ./searx.nix
-    ./services.nix
-    ./users.nix
-    ./vaultwarden.nix
-  ];
-
-  options.ports = {
-    bazaar = mkStringOption "6767";
-    radarr = mkStringOption "7878";
-    vaultwarden = mkStringOption "8000";
-    changedetection-io = mkStringOption "8001";
-    cinny = mkStringOption "8002";
-    librespeed = mkStringOption "8003";
-    paperless = mkStringOption "8004";
-    yousable = mkStringOption "8005";
-    cinny2 = mkStringOption "8006";
-    searx = mkStringOption "8007";
-    qbittorrent = mkStringOption "8008";
-    actual = mkStringOption "8009";
-    memos = mkStringOption "8010";
-    collabora = mkStringOption "8011";
-    jellyfin = mkStringOption "8096";
-    sonarr = mkStringOption "8989";
-    jackett = mkStringOption "9117";
-  };
-}

hosts/servers/alexandria/forgejo.nix

@@ -1,33 +0,0 @@
-{ config, ... }:
-
-let
-  domain = "git.baduhai.dev";
-in
-
-{
-  services = {
-    forgejo = {
-      enable = true;
-      repositoryRoot = "/data/forgejo";
-      settings = {
-        session.COOKIE_SECURE = true;
-        server = {
-          PROTOCOL = "http+unix";
-          DOMAIN = domain;
-          ROOT_URL = "https://${domain}";
-          OFFLINE_MODE = true; # disable use of CDNs
-          SSH_DOMAIN = "baduhai.dev";
-        };
-        log.LEVEL = "Warn";
-        mailer.ENABLED = false;
-        actions.ENABLED = false;
-      };
-    };
-    nginx.virtualHosts.${domain} = {
-      useACMEHost = "baduhai.dev";
-      forceSSL = true;
-      kTLS = true;
-      locations."/".proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
-    };
-  };
-}

hosts/servers/alexandria/jellyfin.nix

@@ -1,19 +0,0 @@
-{ config, ... }:
-
-{
-  services = {
-    jellyfin = {
-      enable = true;
-      user = "user";
-      group = "hosted";
-      openFirewall = true;
-    };
-
-    nginx.virtualHosts."jellyfin.baduhai.dev" = {
-      useACMEHost = "baduhai.dev";
-      forceSSL = true;
-      kTLS = true;
-      locations."/".proxyPass = "http://127.0.0.1:${config.ports.jellyfin}";
-    };
-  };
-}

hosts/servers/alexandria/librespeed.nix

@@ -1,22 +0,0 @@
-{ config, ... }:
-
-{
-  virtualisation.oci-containers.containers."librespeed" = {
-    image = "lscr.io/linuxserver/librespeed:latest";
-    environment = {
-      TZ = "America/Bahia";
-    };
-    ports = [ "${config.ports.librespeed}:80" ];
-    extraOptions = [
-      "--pull=newer"
-      "--label=io.containers.autoupdate=registry"
-    ];
-  };
-
-  services.nginx.virtualHosts."speed.baduhai.dev" = {
-    useACMEHost = "baduhai.dev";
-    forceSSL = true;
-    kTLS = true;
-    locations."/".proxyPass = "http://127.0.0.1:${config.ports.librespeed}";
-  };
-}

hosts/servers/alexandria/memos.nix

@@ -1,23 +0,0 @@
-{ config, ... }:
-
-{
-  virtualisation.oci-containers.containers."memos" = {
-    image = "docker.io/neosmemo/memos:stable";
-    ports = [ "${config.ports.memos}:5230" ];
-    environment = {
-      TZ = "America/Bahia";
-    };
-    volumes = [ "/data/memos/:/var/opt/memos" ];
-    extraOptions = [
-      "--pull=newer"
-      "--label=io.containers.autoupdate=registry"
-    ];
-  };
-
-  services.nginx.virtualHosts."notes.baduhai.dev" = {
-    useACMEHost = "baduhai.dev";
-    forceSSL = true;
-    kTLS = true;
-    locations."/".proxyPass = "http://127.0.0.1:${config.ports.memos}";
-  };
-}

hosts/servers/alexandria/minecraft.nix

@@ -1,73 +0,0 @@
-{ pkgs, ... }:
-
-{
-  services.minecraft-servers = {
-    enable = true;
-    eula = true;
-    dataDir = "/data/minecraft";
-    servers."kingdomcums" = {
-      enable = true;
-      package = pkgs.fabricServers.fabric-1_20_1;
-      openFirewall = true;
-      serverProperties = {
-        difficulty = "normal";
-        gamemode = "survival";
-        motd = "Kingdom Cums";
-        online-mode = false;
-        spawn-protection = false;
-      };
-      symlinks."mods" = pkgs.linkFarmFromDrvs "mods" (
-        builtins.attrValues {
-          villagerNames = pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/gqRXDo8B/versions/rzXhJ2pH/villagernames-1.20.1-8.1.jar";
-            sha256 = "0hcbbp3zi3nnr12kian9l645f22jr7495bcrlbng46nxp9h08pg5";
-          };
-          lithium = pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/gvQqBUqZ/versions/ZSNsJrPI/lithium-fabric-mc1.20.1-0.11.2.jar";
-            sha256 = "1ycdvrs46bbdxsa6i38sfx70v47nvzzbmblfpy3hq3k8blsrbid0";
-          };
-          lootr = pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/EltpO5cN/versions/fqmzdpE2/lootr-fabric-1.20-0.7.33.81.jar";
-            sha256 = "0db0472rb07nbc9i925qp3n7s7nmrq6q3alhprflgc9gqg0j0f14";
-          };
-          malilib = pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/GcWjdA9I/versions/V7yLDtJV/malilib-fabric-1.20.1-0.16.3.jar";
-            sha256 = "129m1jnk58p0wid5fmagqx13wp6pw4gja01yx14aljdxgzr8kqas";
-          };
-          immersivePaintings = pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/6txNkua3/versions/UjL11A4h/immersive_paintings-0.6.7%2B1.20.1-fabric.jar";
-            sha256 = "1di9a67q372z6lplnsa1kmh86armya83mimn61c8ai7izjlsfnid";
-          };
-          entityCulling = pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/NNAgCjsB/versions/mahLIqpj/entityculling-fabric-1.6.7-mc1.20.1.jar";
-            sha256 = "01iz8rgljgzl0d8gcwpmr6wcvv3b0cf1siggp3dn8q5hv9przk9k";
-          };
-          fabricAPI = pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/P7dR8mSH/versions/P7uGFii0/fabric-api-0.92.2%2B1.20.1.jar";
-            sha256 = "1z3hcxng2p9ymph1c0k729vxxaasi34n6fcdsqwx0wsmqi2gh025";
-          };
-          fallingTree = pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/Fb4jn8m6/versions/NrtzFkZE/FallingTree-1.20.1-4.3.4.jar";
-            sha256 = "0sfv2laxzgmkhmr0kizi7g09r6fkccjhj9p5j0viqywnwx02r7fs";
-          };
-          carryOn = pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/joEfVgkn/versions/Mkla4B3q/carryon-fabric-1.20.1-2.1.2.7.jar";
-            sha256 = "1pgbqrjrxw7bgwn6phpywgpjfmf5h341ba93j76ibk649wbgn9cd";
-          };
-          collective = pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/e0M1UDsY/versions/jo7YkyNS/collective-1.20.1-7.84.jar";
-            sha256 = "01qvaqmd5kmxq7sins6703xq5ckc47qs5kd62gnjyfq1dbjp2y2b";
-          };
-          dynamicLights = pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/7YjclEGc/versions/eU6PA0pr/dynamiclights-v1.8.3-mc1.17x-1.21x-mod.jar";
-            sha256 = "0vdv525gis1vj514iqh4rbl6byp7k0ls3lsyj0c3db8g58d784gm";
-          };
-          appleSkin = pkgs.fetchurl {
-            url = "https://cdn.modrinth.com/data/EsAfCjCV/versions/xcauwnEB/appleskin-fabric-mc1.20.1-2.5.1.jar";
-            sha256 = "1d9qmzjlk763ycmizqpmhcq0hhqw9j8hij6xk8p8l11ljr13mql5";
-          };
-        }
-      );
-    };
-  };
-}

hosts/servers/alexandria/nginx.nix

@@ -1,37 +0,0 @@
-{ config, ... }:
-
-{
-  services.nginx = {
-    enable = true;
-    group = "hosted";
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      email = "baduhai@proton.me";
-      dnsResolver = "1.1.1.1:53";
-      dnsProvider = "cloudflare";
-      credentialsFile = config.age.secrets.cloudflare.path;
-    };
-    certs."baduhai.dev" = {
-      extraDomainNames = [ "*.baduhai.dev" ];
-    };
-  };
-
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1;
-    "net.ipv6.conf.all.forwarding" = 1;
-  };
-
-  age.secrets.cloudflare = {
-    file = ../../../secrets/cloudflare.age;
-    owner = "nginx";
-    group = "hosted";
-  };
-
-}

hosts/servers/alexandria/paperless.nix

@@ -1,30 +0,0 @@
-{ config, lib, ... }:
-
-{
-  services = {
-    paperless = {
-      enable = true;
-      dataDir = "/data/paperless/data";
-      mediaDir = "/data/paperless/media";
-      passwordFile = config.age.secrets.paperless.path;
-      port = lib.toInt "${config.ports.paperless}";
-      consumptionDirIsPublic = true;
-      settings = {
-        PAPERLESS_OCR_LANGUAGE = "eng+por+deu";
-      };
-    };
-
-    nginx.virtualHosts."docs.baduhai.dev" = {
-      useACMEHost = "baduhai.dev";
-      forceSSL = true;
-      kTLS = true;
-      locations."/".proxyPass = "http://127.0.0.1:${config.ports.paperless}";
-    };
-  };
-
-  age.secrets.paperless = {
-    file = ../../../secrets/paperless.age;
-    owner = "paperless";
-    group = "hosted";
-  };
-}

hosts/servers/alexandria/searx.nix

@@ -1,28 +0,0 @@
-{
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-
-{
-  services = {
-    searx = {
-      enable = true;
-      package = pkgs.searxng;
-      settings.server = {
-        port = lib.toInt "${config.ports.searx}";
-        bind_address = "0.0.0.0";
-        secret_key = "&yEf!xLA@y3FdJ5BjKnUnNAkqer$iW!9";
-        method = "GET";
-      };
-    };
-
-    nginx.virtualHosts."search.baduhai.dev" = {
-      useACMEHost = "baduhai.dev";
-      forceSSL = true;
-      kTLS = true;
-      locations."/".proxyPass = "http://127.0.0.1:${config.ports.searx}";
-    };
-  };
-}

hosts/servers/alexandria/services.nix

@@ -1,9 +0,0 @@
-{ ... }:
-
-{
-  services.postgresql.enable = true;
-
-  # TODO: remove when bug fux 
-  # Workaround for upstream bug in NetworkManager-wait-online.service
-  systemd.services.NetworkManager-wait-online.enable = false;
-}

hosts/servers/alexandria/users.nix

@@ -1,20 +0,0 @@
-{ ... }:
-
-{
-  users = {
-    users = {
-      nginx.extraGroups = [ "acme" ];
-    };
-    groups = {
-      hosted = {
-        gid = 1005;
-        members = [
-          "user"
-          "minecraft"
-          "paperless"
-          "vaultwarden"
-        ];
-      };
-    };
-  };
-}

hosts/servers/alexandria/vaultwarden.nix

@@ -1,22 +0,0 @@
-{ config, ... }:
-
-{
-  services = {
-    vaultwarden = {
-      enable = true;
-      config = {
-        DOMAIN = "https://pass.baduhai.dev";
-        SIGNUPS_ALLOWED = true;
-        ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = "${config.ports.vaultwarden}";
-      };
-    };
-
-    nginx.virtualHosts."pass.baduhai.dev" = {
-      useACMEHost = "baduhai.dev";
-      forceSSL = true;
-      kTLS = true;
-      locations."/".proxyPass = "http://127.0.0.1:${config.ports.vaultwarden}";
-    };
-  };
-}

hosts/servers/common/default.nix

@@ -1,10 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./boot.nix
-    ./home-manager.nix
-    ./nix.nix
-    ./services.nix
-  ];
-}

hosts/servers/common/home-manager.nix

@@ -1,10 +0,0 @@
-{ ... }:
-
-{
-  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    backupFileExtension = "bkp";
-    users.user = import ../../../users/servers/user.nix;
-  };
-}

hosts/trantor/boot.nix

@@ -0,0 +1,6 @@
+{
+  boot = {
+    initrd.systemd.enable = true;
+    loader.efi.efiSysMountPoint = "/boot/efi";
+  };
+}

hosts/trantor/disko.nix

@@ -0,0 +1,64 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.disko.nixosModules.default ];
+
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20";
+    content = {
+      type = "gpt";
+      partitions = {
+        ESP = {
+          priority = 1;
+          name = "ESP";
+          start = "1MiB";
+          end = "512MiB";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot/efi";
+            mountOptions = [
+              "noatime"
+              "fmask=0077"
+              "dmask=0077"
+            ];
+          };
+        };
+        root = {
+          priority = 2;
+          name = "root";
+          size = "100%";
+          content = {
+            type = "btrfs";
+            extraArgs = [ "-f" ];
+            subvolumes = {
+              "@root" = {
+                mountpoint = "/";
+                mountOptions = [
+                  "noatime"
+                  "compress=zstd"
+                ];
+              };
+              "@nix" = {
+                mountpoint = "/nix";
+                mountOptions = [
+                  "noatime"
+                  "compress=zstd"
+                ];
+              };
+              "@persistent" = {
+                mountpoint = "/persistent";
+                mountOptions = [
+                  "noatime"
+                  "compress=zstd"
+                ];
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/trantor/fail2ban.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+
+{
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    ignoreIP = [
+      "127.0.0.0/8"
+      "::1"
+      "10.0.0.0/8"
+      "172.16.0.0/12"
+      "192.168.0.0/16"
+      "100.64.0.0/10"
+    ];
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "10000h";
+      overalljails = true;
+    };
+  };
+}

hosts/trantor/forgejo.nix

@@ -0,0 +1,72 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts;
+in
+
+{
+  services = {
+    forgejo = {
+      enable = true;
+      settings = {
+        session.COOKIE_SECURE = true;
+        server = {
+          PROTOCOL = "http+unix";
+          DOMAIN = "git.baduhai.dev";
+          ROOT_URL = "https://git.baduhai.dev";
+          OFFLINE_MODE = true; # disable use of CDNs
+          SSH_DOMAIN = "git.baduhai.dev";
+        };
+        log.LEVEL = "Warn";
+        mailer.ENABLED = false;
+        actions.ENABLED = false;
+        service.DISABLE_REGISTRATION = true;
+        oauth2_client = {
+          ENABLE_AUTO_REGISTRATION = true;
+          UPDATE_AVATAR = true;
+          ACCOUNT_LINKING = "login";
+          USERNAME = "preferred_username";
+        };
+      };
+    };
+    nginx.virtualHosts = mkNginxVHosts {
+      domains."git.baduhai.dev".locations."/".proxyPass =
+        "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
+    };
+    fail2ban.jails.forgejo = {
+      settings = {
+        enabled = true;
+        filter = "forgejo";
+        maxretry = 3;
+        findtime = "10m";
+        bantime = "1h";
+      };
+    };
+  };
+
+  environment = {
+    etc."fail2ban/filter.d/forgejo.conf".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+      journalmatch = _SYSTEMD_UNIT=forgejo.service
+    '';
+
+    persistence.main.directories = [
+      {
+        directory = config.services.forgejo.stateDir;
+        inherit (config.services.forgejo) user group;
+        mode = "0700";
+      }
+    ];
+  };
+
+  # Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
+  systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false;
+}

hosts/trantor/hardware-configuration.nix

@@ -0,0 +1,20 @@
+{
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "usbhid"
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

hosts/trantor/networking.nix

@@ -0,0 +1,8 @@
+{
+  networking = {
+    firewall = {
+      allowedTCPPorts = [ 25566 ];
+      allowedUDPPorts = [ 25566 ];
+    };
+  };
+}

hosts/trantor/nginx.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts services;
+
+  # Get all unique domains from shared services on trantor (host = "trantor")
+  localDomains = lib.unique (
+    map (s: s.domain) (lib.filter (s: s.host == "trantor") services)
+  );
+
+  # Generate ACME cert configs for all local domains
+  acmeCerts = lib.genAttrs localDomains (domain: {
+    group = "nginx";
+  });
+in
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "baduhai@proton.me";
+      dnsResolver = "1.1.1.1:53";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets.cloudflare.path;
+    };
+    certs = acmeCerts;
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "_" = {
+        default = true;
+        locations."/".return = "444";
+      };
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  age.secrets.cloudflare = {
+    file = ../../secrets/cloudflare.age;
+    owner = "nginx";
+    group = "nginx";
+  };
+}

hosts/trantor/openssh.nix

@@ -0,0 +1,23 @@
+{ ... }:
+
+{
+  services = {
+    openssh = {
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+      };
+    };
+    fail2ban.jails.sshd = {
+      settings = {
+        enabled = true;
+        port = "ssh";
+        filter = "sshd";
+        logpath = "/var/log/auth.log";
+        maxretry = 3;
+        findtime = "10m";
+        bantime = "1h";
+      };
+    };
+  };
+}

hosts/trantor/unbound.nix

@@ -0,0 +1,58 @@
+{ inputs, lib, ... }:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+in
+
+{
+  services.unbound = {
+    enable = true;
+    enableRootTrustAnchor = true;
+    settings = {
+      server = {
+        interface = [
+          "0.0.0.0"
+          "::"
+        ];
+        access-control = [
+          "127.0.0.0/8 allow"
+          "100.64.0.0/10 allow" # Tailscale CGNAT range
+          "::1/128 allow"
+          "fd7a:115c:a1e0::/48 allow" # Tailscale IPv6
+        ];
+
+        num-threads = 2;
+        msg-cache-size = "50m";
+        rrset-cache-size = "100m";
+        cache-min-ttl = 300;
+        cache-max-ttl = 86400;
+        prefetch = true;
+        prefetch-key = true;
+        hide-identity = true;
+        hide-version = true;
+        so-rcvbuf = "1m";
+        so-sndbuf = "1m";
+
+        # Tailnet DNS records from shared services
+        local-zone = ''"baduhai.dev." transparent'';
+        local-data = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') utils.services;
+      };
+
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "1.1.1.1@853#cloudflare-dns.com"
+            "1.0.0.1@853#cloudflare-dns.com"
+          ];
+          forward-tls-upstream = true;
+        }
+      ];
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}

modules/ephemeral.nix

@@ -0,0 +1,84 @@
+{ lib, config, ... }:
+
+let
+  cfg = config.ephemeral;
+in
+{
+  options.ephemeral = {
+    enable = lib.mkEnableOption "ephemeral root with automatic rollback";
+
+    rootDevice = lib.mkOption {
+      type = lib.types.str;
+      example = "/dev/mapper/cryptroot";
+      description = "Device path for the root btrfs filesystem";
+    };
+
+    rootSubvolume = lib.mkOption {
+      type = lib.types.str;
+      example = "@root";
+      description = "Name of the root btrfs subvolume";
+    };
+
+    oldRootRetentionDays = lib.mkOption {
+      type = lib.types.int;
+      default = 30;
+      description = "Number of days to keep old root snapshots before deletion";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    boot.initrd.systemd.services.recreate-root = {
+      description = "Rolling over and creating new filesystem root";
+      requires = [ "initrd-root-device.target" ];
+      after = [
+        "local-fs-pre.target"
+        "initrd-root-device.target"
+      ];
+      requiredBy = [ "initrd-root-fs.target" ];
+      before = [ "sysroot.mount" ];
+      unitConfig = {
+        AssertPathExists = "/etc/initrd-release";
+        DefaultDependencies = false;
+      };
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = ''
+        set -euo pipefail
+
+        mkdir /btrfs_tmp
+        if ! mount ${cfg.rootDevice} /btrfs_tmp; then
+          echo "ERROR: Failed to mount ${cfg.rootDevice}"
+          exit 1
+        fi
+
+        if [[ -e /btrfs_tmp/${cfg.rootSubvolume} ]]; then
+          mkdir -p /btrfs_tmp/old_roots
+          timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/${cfg.rootSubvolume})" "+%Y-%m-%-d_%H:%M:%S")
+          mv /btrfs_tmp/${cfg.rootSubvolume} "/btrfs_tmp/old_roots/$timestamp"
+        fi
+
+        delete_subvolume_recursively() {
+          IFS=$'\n'
+          for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+             delete_subvolume_recursively "/btrfs_tmp/$i"
+          done
+          btrfs subvolume delete "$1"
+        }
+
+        for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +${toString cfg.oldRootRetentionDays}); do
+          delete_subvolume_recursively "$i"
+        done
+
+        if ! btrfs subvolume create /btrfs_tmp/${cfg.rootSubvolume}; then
+          echo "ERROR: Failed to create subvolume ${cfg.rootSubvolume}"
+          umount /btrfs_tmp
+          exit 1
+        fi
+
+        umount /btrfs_tmp
+      '';
+    };
+  };
+}

modules/qbittorrent.nix

@@ -1,123 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-with lib;
-let
-  cfg = config.services.qbittorrent;
-  configDir = "${cfg.dataDir}/.config";
-  openFilesLimit = 4096;
-in
-{
-  options.services.qbittorrent = {
-    enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Run qBittorrent headlessly as systemwide daemon
-      '';
-    };
-
-    dataDir = mkOption {
-      type = types.path;
-      default = "/var/lib/qbittorrent";
-      description = ''
-        The directory where qBittorrent will create files.
-      '';
-    };
-
-    user = mkOption {
-      type = types.str;
-      default = "qbittorrent";
-      description = ''
-        User account under which qBittorrent runs.
-      '';
-    };
-
-    group = mkOption {
-      type = types.str;
-      default = "qbittorrent";
-      description = ''
-        Group under which qBittorrent runs.
-      '';
-    };
-
-    port = mkOption {
-      type = types.port;
-      default = 8080;
-      description = ''
-        qBittorrent web UI port.
-      '';
-    };
-
-    openFirewall = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Open services.qBittorrent.port to the outside network.
-      '';
-    };
-
-    openFilesLimit = mkOption {
-      default = openFilesLimit;
-      description = ''
-        Number of files to allow qBittorrent to open.
-      '';
-    };
-  };
-
-  config = mkIf cfg.enable {
-
-    environment.systemPackages = [ pkgs.qbittorrent ];
-
-    nixpkgs.overlays = [
-      (final: prev: {
-        qbittorrent = prev.qbittorrent.override { guiSupport = false; };
-      })
-    ];
-
-    networking.firewall = mkIf cfg.openFirewall {
-      allowedTCPPorts = [ cfg.port ];
-      allowedUDPPorts = [ cfg.port ];
-    };
-
-    systemd.services.qbittorrent = {
-      after = [ "network.target" ];
-      description = "qBittorrent Daemon";
-      wantedBy = [ "multi-user.target" ];
-      path = [ pkgs.qbittorrent ];
-      serviceConfig = {
-        ExecStart = ''
-          ${pkgs.qbittorrent}/bin/qbittorrent-nox \
-            --profile=${configDir} \
-            --webui-port=${toString cfg.port}
-        '';
-        # To prevent "Quit & shutdown daemon" from working; we want systemd to
-        # manage it!
-        Restart = "on-success";
-        User = cfg.user;
-        Group = cfg.group;
-        UMask = "0002";
-        LimitNOFILE = cfg.openFilesLimit;
-      };
-    };
-
-    users.users = mkIf (cfg.user == "qbittorrent") {
-      qbittorrent = {
-        group = cfg.group;
-        home = cfg.dataDir;
-        createHome = true;
-        description = "qBittorrent Daemon user";
-      };
-    };
-
-    users.groups = mkIf (cfg.group == "qbittorrent") {
-      qbittorrent = {
-        gid = null;
-      };
-    };
-  };
-}

nixosConfigurations.nix

@@ -0,0 +1,55 @@
+{ inputs, ... }:
+let
+  lib = inputs.nixpkgs.lib;
+  utils = import ./utils.nix { inherit inputs lib; };
+  inherit (utils) mkHost;
+in
+{
+  flake.nixosConfigurations = {
+    rotterdam = mkHost {
+      hostname = "rotterdam";
+      tags = [
+        "desktop"
+        "ai"
+        "bluetooth"
+        "dev"
+        "ephemeral"
+        "fwupd"
+        "gaming"
+        "libvirtd"
+        "networkmanager"
+        "podman"
+      ];
+    };
+
+    io = mkHost {
+      hostname = "io";
+      tags = [
+        "desktop"
+        "ai"
+        "bluetooth"
+        "dev"
+        "ephemeral"
+        "networkmanager"
+        "podman"
+      ];
+    };
+
+    alexandria = mkHost {
+      hostname = "alexandria";
+      tags = [
+        # "server" TODO: uncomment when 25.11 is out.
+        "fwupd"
+      ];
+    };
+
+    trantor = mkHost {
+      hostname = "trantor";
+      system = "aarch64-linux";
+      tags = [
+        "server"
+        "ephemeral"
+      ];
+    };
+  };
+}

nixosModules.nix

@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  flake.nixosModules = {
+    ephemeral = import ./modules/ephemeral.nix;
+  };
+}

overlays.nix

@@ -0,0 +1,13 @@
+{ inputs, ... }:
+
+{
+  flake.overlays = {
+    default = final: prev: {
+      base16-schemes = inputs.self.packages.${final.system}.base16-schemes;
+      fastfetch = inputs.self.packages.${final.system}.fastfetch;
+      hm-cli = inputs.self.packages.${final.system}.hm-cli;
+      kwrite = inputs.self.packages.${final.system}.kwrite;
+      toggleaudiosink = inputs.self.packages.${final.system}.toggleaudiosink;
+    };
+  };
+}

packages.nix

@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  perSystem =
+    { pkgs, system, ... }:
+    {
+      packages = {
+        base16-schemes = pkgs.callPackage ./packages/base16-schemes.nix { };
+        fastfetch = pkgs.callPackage ./packages/fastfetch.nix { };
+        hm-cli = pkgs.callPackage ./packages/hm-cli.nix { };
+        kwrite = pkgs.callPackage ./packages/kwrite.nix { };
+        toggleaudiosink = pkgs.callPackage ./packages/toggleaudiosink.nix { };
+      };
+    };
+}

packages/base16-schemes.nix

@@ -0,0 +1,32 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+}:
+stdenv.mkDerivation (finalAttrs: {
+  pname = "base16-schemes";
+  version = "0-unstable-2025-06-04";
+
+  src = fetchFromGitHub {
+    owner = "tinted-theming";
+    repo = "schemes";
+    rev = "317a5e10c35825a6c905d912e480dfe8e71c7559";
+    hash = "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/share/themes/
+    install base16/*.yaml $out/share/themes/
+
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "All the color schemes for use in base16 packages";
+    homepage = "https://github.com/tinted-theming/schemes";
+    maintainers = [ lib.maintainers.DamienCassou ];
+    license = lib.licenses.mit;
+  };
+})

packages/fastfetch.nix

@@ -0,0 +1,81 @@
+{
+  lib,
+  pkgs ? import <nixpkgs> { },
+}:
+
+let
+  fastfetch-logo = pkgs.fetchurl {
+    url = "https://discourse.nixos.org/uploads/default/original/3X/3/6/36954e6d6aa32c8b00f50ca43f142d898c1ff535.png";
+    hash = "sha256-aLHz8jSAFocrn+Pb4vRq0wtkYFJpBpZRevd+VoZC/PQ=";
+  };
+
+  fastfetch-config = pkgs.writeText "fastfetch-config.json" (
+    builtins.toJSON {
+      "$schema" = "https://github.com/fastfetch-cli/fastfetch/raw/dev/doc/json_schema.json";
+      modules = [
+        "title"
+        "separator"
+        {
+          type = "os";
+          keyWidth = 9;
+        }
+        {
+          type = "kernel";
+          keyWidth = 9;
+        }
+        {
+          type = "uptime";
+          keyWidth = 9;
+        }
+        {
+          type = "shell";
+          keyWidth = 9;
+        }
+        "break"
+        {
+          type = "cpu";
+          keyWidth = 11;
+        }
+        {
+          type = "memory";
+          keyWidth = 11;
+        }
+        {
+          type = "swap";
+          keyWidth = 11;
+        }
+        {
+          type = "disk";
+          folders = "/";
+          keyWidth = 11;
+        }
+        {
+          type = "command";
+          key = "Systemd";
+          keyWidth = 11;
+          text = "echo \"$(systemctl list-units --state=failed --no-legend | wc -l) failed units, $(systemctl list-jobs --no-legend | wc -l) queued jobs\"";
+        }
+        "break"
+        {
+          type = "command";
+          key = "Public IP";
+          keyWidth = 15;
+          text = "curl -s -4 ifconfig.me 2>/dev/null || echo 'N/A'";
+        }
+        {
+          type = "command";
+          key = "Tailscale IP";
+          keyWidth = 15;
+          text = "tailscale ip -4 2>/dev/null || echo 'N/A'";
+        }
+        {
+          type = "command";
+          key = "Local IP";
+          keyWidth = 15;
+          text = "ip -4 addr show scope global | grep inet | head -n1 | awk '{print $2}' | cut -d/ -f1";
+        }
+      ];
+    }
+  );
+in
+pkgs.writeShellScriptBin "fastfetch" ''exec ${lib.getExe pkgs.fastfetch} --config ${fastfetch-config} --logo-type kitty --logo ${fastfetch-logo} --logo-padding-right 1 --logo-width 36 "$@" ''