flake.lock: Update

Flake lock file updates:

• Updated input 'nix-ai-tools':
    'github:numtide/nix-ai-tools/58d5d222d6802a75c1ed637d049ea438d199051a?narHash=sha256-pQ2XzsB/n8E5FWYnICZu/BzkKy8a50EzmUGTCo5SeHg%3D' (2025-11-13)
  → 'github:numtide/nix-ai-tools/a2dfa932ed37e5b6224b39b4982c85cd8ebcca14?narHash=sha256-n6bChFrCf2/uHzTsZdABUt1%2BUa3n0jinNfamHd5DmBA%3D' (2025-11-17)
• Updated input 'nix-ai-tools/blueprint':
    'github:numtide/blueprint/633af1961cae8e02bc6195e6e599a6b09bf75217?narHash=sha256-wTQzbbQ6XHtvNJVuhJj%2BytZDRyNtwUKbrIfIvMvKNfQ%3D' (2025-10-28)
  → 'github:numtide/blueprint/5a9bba070f801d63e2af3c9ef00b86b212429f4f?narHash=sha256-O9Y%2BWer8wOh%2BN%2B4kcCK5p/VLrXyX%2Bktk0/s3HdZvJzk%3D' (2025-11-16)
• Updated input 'nix-ai-tools/nixpkgs':
    'github:NixOS/nixpkgs/9da7f1cf7f8a6e2a7cb3001b048546c92a8258b4?narHash=sha256-SlybxLZ1/e4T2lb1czEtWVzDCVSTvk9WLwGhmxFmBxI%3D' (2025-11-11)
  → 'github:NixOS/nixpkgs/85a6c4a07faa12aaccd81b36ba9bfc2bec974fa1?narHash=sha256-3YJkOBrFpmcusnh7i8GXXEyh7qZG/8F5z5%2B717550Hk%3D' (2025-11-16)

.gitignore

@@ -1,4 +1,13 @@
-result/
+# Nix build outputs
 result
+result-*
 .direnv/
-.pre-commit-config.yaml
+oci-trantor/
+tailscale-tailnet/
+cloudflare-baduhaidev
+
+# Personal notes and temporary files
+todo.md
+notes.md
+scratch/
+tmp/

deploy.nix

@@ -0,0 +1,48 @@
+{ inputs, self, ... }:
+{
+  flake.deploy = {
+    remoteBuild = true;
+    nodes = {
+      alexandria = {
+        hostname = "alexandria";
+        profiles.system = {
+          sshUser = "user";
+          path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.alexandria;
+          user = "root";
+        };
+      };
+
+      trantor = {
+        hostname = "trantor";
+        profiles.system = {
+          sshUser = "user";
+          path = inputs.deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.trantor;
+          user = "root";
+        };
+      };
+
+      io = {
+        hostname = "io";
+        profiles = {
+          system = {
+            sshUser = "user";
+            path = inputs.deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.io;
+            user = "root";
+            remoteBuild = false;
+          };
+          user = {
+            sshUser = "user";
+            path = inputs.deploy-rs.lib.x86_64-linux.activate.home-manager self.homeConfigurations."user@io";
+            user = "user";
+            remoteBuild = false;
+          };
+        };
+      };
+    };
+  };
+  perSystem =
+    { system, ... }:
+    {
+      checks = inputs.deploy-rs.lib.${system}.deployChecks self.deploy;
+    };
+}

devShells.nix

@@ -0,0 +1,16 @@
+{ inputs, ... }:
+
+{
+  perSystem =
+    { pkgs, system, ... }:
+    {
+      devShells.default = pkgs.mkShell {
+        packages = with pkgs; [
+          inputs.agenix.packages.${system}.default
+          deploy-rs
+          nil
+          nixfmt-rfc-style
+        ];
+      };
+    };
+}

flake.nix

@@ -2,6 +2,8 @@
   description = "My nix hosts";
 
   inputs = {
+    flake-parts.url = "github:hercules-ci/flake-parts";
+
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.05";
 
@@ -9,183 +11,67 @@
       url = "github:nix-community/home-manager/master";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    home-manager-stable = {
-      url = "github:nix-community/home-manager/release-25.05";
-      inputs.nixpkgs.follows = "nixpkgs-stable";
-    };
-
-    stylix = {
-      url = "github:danth/stylix";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
 
     agenix = {
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs-stable";
     };
 
-    disko = {
+    disko.url = "github:nix-community/disko";
-      url = "github:nix-community/disko?ref=v1.11.0";
+
-      inputs.nixpkgs.follows = "nixpkgs-stable";
+    noctalia = {
+      url = "github:noctalia-dev/noctalia-shell";
+      inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    stylix.url = "github:danth/stylix";
+
     nixos-cli.url = "github:nix-community/nixos-cli";
 
     nix-flatpak.url = "github:gmodena/nix-flatpak/main";
 
+    zen-browser.url = "github:0xc000022070/zen-browser-flake";
+
     impermanence.url = "github:nix-community/impermanence";
 
-    nixvim.url = "github:nix-community/nixvim";
+    deploy-rs.url = "github:serokell/deploy-rs";
+
+    niri-flake.url = "github:sodiboo/niri-flake";
+
+    niri.url = "github:baduhai/niri/auto-center-when-space-available";
+
+    nix-index-database = {
+      url = "github:nix-community/nix-index-database";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    terranix = {
+      url = "github:terranix/terranix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nix-ai-tools.url = "github:numtide/nix-ai-tools";
+
+    vicinae.url = "github:vicinaehq/vicinae";
   };
 
   outputs =
-    inputs@{
+    inputs@{ flake-parts, ... }:
-      self,
+    flake-parts.lib.mkFlake { inherit inputs; } {
-      nixpkgs,
-      nixpkgs-stable,
-      home-manager,
-      home-manager-stable,
-      stylix,
-      disko,
-      agenix,
-      nixos-cli,
-      nix-flatpak,
-      impermanence,
-      nixvim,
-      ...
-    }:
-    let
       systems = [
         "x86_64-linux"
         "aarch64-linux"
       ];
-      forAllSystems = nixpkgs.lib.genAttrs systems;
-      forAllSystemsWithPkgs =
-        f:
-        forAllSystems (
-          system:
-          let
-            pkgs = nixpkgs.legacyPackages.${system};
-          in
-          f system pkgs
-        );
-    in
-    {
-      nixosConfigurations =
-        let
-          mkHost =
-            {
-              hostname,
-              type, # workstation|server
-              system ? "x86_64-linux",
-              extraModules ? [ ],
-            }:
-            let
-              pkgs = if type == "server" then nixpkgs-stable else nixpkgs;
-              hm = if type == "server" then home-manager-stable else home-manager;
-              hostTypeFlags = {
-                isServer = type == "server";
-                isWorkstation = type == "workstation";
-              };
-              defaultModules = [
-                ./hosts/${hostname}.nix
-                agenix.nixosModules.default
-                disko.nixosModules.default
-                hm.nixosModules.default
-                impermanence.nixosModules.impermanence
-                nix-flatpak.nixosModules.nix-flatpak
-                stylix.nixosModules.stylix
-                nixvim.nixosModules.nixvim
-                nixos-cli.nixosModules.nixos-cli
-                {
-                  nixpkgs.overlays = [
-                    agenix.overlays.default
-                  ];
-                }
-              ];
-              workstationModules = [
-                {
-                  nixpkgs.overlays = [
-                    self.overlays.workstationOverlay
-                  ];
-                }
-              ];
-              serverModules = [
-                {
-                  nixpkgs.overlays = [
-                    self.overlays.serverOverlay
-                  ];
-                }
-              ];
-              typeModules = if type == "server" then serverModules else workstationModules;
-              allModules = defaultModules ++ typeModules ++ extraModules;
-            in
-            pkgs.lib.nixosSystem {
-              inherit system;
-              specialArgs = {
-                inherit inputs;
-                hostType = hostTypeFlags;
-              };
-              modules = allModules;
-            };
-        in
-        {
-          rotterdam = mkHost {
-            hostname = "rotterdam";
-            type = "workstation";
-          };
-          io = mkHost {
-            hostname = "io";
-            type = "workstation";
-          };
-          alexandria = mkHost {
-            hostname = "alexandria";
-            type = "server";
-            extraModules = [
-              self.nixosModules.qbittorrent
-            ];
-          };
-          trantor = mkHost {
-            hostname = "trantor";
-            type = "server";
-            system = "aarch64-linux";
-          };
-        };
 
-      devShells = forAllSystemsWithPkgs (
+      imports = [
-        system: pkgs: {
+        ./deploy.nix
-          default = pkgs.mkShell {
+        ./devShells.nix
-            packages = with pkgs; [
+        ./homeConfigurations.nix
-              nil
+        ./nixosConfigurations.nix
-              nixfmt-rfc-style
+        ./nixosModules.nix
-            ];
+        ./overlays.nix
-          };
+        ./packages.nix
-        }
+        ./terranixConfigurations.nix
-      );
+      ];
-
-      packages = forAllSystemsWithPkgs (
-        system: pkgs:
-        {
-          toggleaudiosink = pkgs.callPackage ./packages/toggleaudiosink.nix { };
-        }
-        // nixpkgs.lib.optionalAttrs (system == "x86_64-linux") {
-          plasticity = pkgs.callPackage ./packages/plasticity.nix { };
-        }
-      );
-
-      overlays = {
-        overlay = final: prev: {
-        };
-        workstationOverlay = final: prev: {
-          plasticity = self.packages.${final.system}.plasticity;
-          toggleaudiosink = self.packages.${final.system}.toggleaudiosink;
-        };
-        serverOverlay = final: prev: {
-        };
-      };
-
-      nixosModules = {
-        qbittorrent = import ./modules/qbittorrent.nix;
-      };
     };
 }

homeConfigurations.nix

@@ -0,0 +1,43 @@
+{ inputs, ... }:
+
+let
+  lib = inputs.nixpkgs.lib;
+  utils = import ./utils.nix { inherit inputs lib; };
+  inherit (utils) mkHome;
+in
+
+{
+  flake.homeConfigurations = {
+    "user@rotterdam" = mkHome {
+      username = "user";
+      hostname = "rotterdam";
+      tags = [
+        "desktop"
+        "btop"
+        "comma"
+        "direnv"
+        "gaming"
+        "helix"
+        "obs-studio"
+        "starship"
+        "stylix"
+        "tmux"
+      ];
+    };
+
+    "user@io" = mkHome {
+      username = "user";
+      hostname = "io";
+      tags = [
+        "desktop"
+        "btop"
+        "comma"
+        "direnv"
+        "helix"
+        "starship"
+        "stylix"
+        "tmux"
+      ];
+    };
+  };
+}

hosts/alexandria.nix

@@ -1,12 +0,0 @@
-{ ... }:
-
-{
-  networking.hostName = "alexandria";
-
-  imports = [
-    ./modules/alexandria
-    ./modules
-  ];
-
-  nix.nixPath = [ "nixos-config=${./alexandria.nix}" ];
-}

hosts/alexandria/jellyfin.nix

@@ -0,0 +1,15 @@
+{ lib, inputs, ... }:
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts;
+in
+{
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  services.nginx.virtualHosts = mkNginxVHosts {
+    domains."jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/";
+  };
+}

hosts/alexandria/kanidm.nix

@@ -0,0 +1,83 @@
+{
+  config,
+  lib,
+  inputs,
+  pkgs,
+  ...
+}:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts;
+  kanidmCertDir = "/var/lib/kanidm/certs";
+in
+
+{
+  services.kanidm = {
+    enableServer = true;
+    enableClient = true;
+    package = pkgs.kanidm;
+
+    serverSettings = {
+      domain = "auth.baduhai.dev";
+      origin = "https://auth.baduhai.dev";
+      bindaddress = "127.0.0.1:8443";
+      ldapbindaddress = "127.0.0.1:636";
+      trust_x_forward_for = true;
+      # Use self-signed certificates for internal TLS
+      tls_chain = "${kanidmCertDir}/cert.pem";
+      tls_key = "${kanidmCertDir}/key.pem";
+    };
+
+    clientSettings = {
+      uri = "https://auth.baduhai.dev";
+    };
+  };
+
+  services.nginx.virtualHosts = mkNginxVHosts {
+    domains."auth.baduhai.dev" = {
+      locations."/" = {
+        proxyPass = "https://127.0.0.1:8443";
+        extraConfig = ''
+          proxy_ssl_verify off;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header Host $host;
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 636 ];
+
+  # Generate self-signed certificates for kanidm's internal TLS
+  systemd.services.kanidm-generate-certs = {
+    description = "Generate self-signed TLS certificates for Kanidm";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "kanidm.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      mkdir -p ${kanidmCertDir}
+      if [ ! -f ${kanidmCertDir}/key.pem ]; then
+        ${pkgs.openssl}/bin/openssl req -x509 -newkey rsa:4096 \
+          -keyout ${kanidmCertDir}/key.pem \
+          -out ${kanidmCertDir}/cert.pem \
+          -days 3650 -nodes \
+          -subj "/CN=localhost" \
+          -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
+        chown -R kanidm:kanidm ${kanidmCertDir}
+        chmod 600 ${kanidmCertDir}/key.pem
+        chmod 644 ${kanidmCertDir}/cert.pem
+      fi
+    '';
+  };
+
+  # Ensure certificate generation runs before kanidm starts
+  systemd.services.kanidm = {
+    after = [ "kanidm-generate-certs.service" ];
+    wants = [ "kanidm-generate-certs.service" ];
+  };
+}

hosts/alexandria/nextcloud.nix

@@ -0,0 +1,97 @@
+{
+  lib,
+  config,
+  pkgs,
+  inputs,
+  ...
+}:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts;
+in
+
+{
+  services = {
+    nextcloud = {
+      enable = true;
+      package = pkgs.nextcloud32;
+      datadir = "/data/nextcloud";
+      hostName = "cloud.baduhai.dev";
+      configureRedis = true;
+      https = true;
+      secretFile = config.age.secrets."nextcloud-secrets.json".path;
+      database.createLocally = true;
+      maxUploadSize = "16G";
+      extraApps = {
+        inherit (config.services.nextcloud.package.packages.apps)
+          calendar
+          contacts
+          notes
+          tasks
+          user_oidc
+          ;
+      };
+      extraAppsEnable = true;
+      caching = {
+        apcu = true;
+        redis = true;
+      };
+      settings = {
+        trusted_proxies = [ "127.0.0.1" ];
+        default_phone_region = "BR";
+        maintenance_window_start = "4";
+        allow_local_remote_servers = true;
+        enabledPreviewProviders = [
+          "OC\\Preview\\BMP"
+          "OC\\Preview\\EMF"
+          "OC\\Preview\\Font"
+          "OC\\Preview\\GIF"
+          "OC\\Preview\\HEIC"
+          "OC\\Preview\\Illustrator"
+          "OC\\Preview\\JPEG"
+          "OC\\Preview\\Krita"
+          "OC\\Preview\\MarkDown"
+          "OC\\Preview\\Movie"
+          "OC\\Preview\\MP3"
+          "OC\\Preview\\MSOffice2003"
+          "OC\\Preview\\MSOffice2007"
+          "OC\\Preview\\MSOfficeDoc"
+          "OC\\Preview\\OpenDocument"
+          "OC\\Preview\\PDF"
+          "OC\\Preview\\Photoshop"
+          "OC\\Preview\\PNG"
+          "OC\\Preview\\Postscript"
+          "OC\\Preview\\SVG"
+          "OC\\Preview\\TIFF"
+          "OC\\Preview\\TXT"
+          "OC\\Preview\\XBitmap"
+        ];
+      };
+      config = {
+        dbtype = "pgsql";
+        adminpassFile = config.age.secrets.nextcloud-adminpass.path;
+      };
+      phpOptions = {
+        "opcache.interned_strings_buffer" = "16";
+      };
+    };
+
+    nginx.virtualHosts = mkNginxVHosts {
+      domains."cloud.baduhai.dev" = { };
+    };
+  };
+
+  age.secrets = {
+    "nextcloud-secrets.json" = {
+      file = ../../secrets/nextcloud-secrets.json.age;
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+    nextcloud-adminpass = {
+      file = ../../secrets/nextcloud-adminpass.age;
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+  };
+}

hosts/alexandria/nginx.nix

@@ -0,0 +1,59 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts services;
+
+  # Get all unique domains from shared services that have LAN IPs (served by this host)
+  localDomains = lib.unique (map (s: s.domain) (lib.filter (s: s.host == "alexandria") services));
+
+  # Generate ACME cert configs for all local domains
+  acmeCerts = lib.genAttrs localDomains (domain: {
+    group = "nginx";
+  });
+in
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "baduhai@proton.me";
+      dnsResolver = "1.1.1.1:53";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets.cloudflare.path;
+    };
+    certs = acmeCerts;
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "_" = {
+        default = true;
+        locations."/".return = "444";
+      };
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  age.secrets.cloudflare = {
+    file = ../../secrets/cloudflare.age;
+    owner = "nginx";
+    group = "nginx";
+  };
+}

hosts/alexandria/unbound.nix

@@ -0,0 +1,58 @@
+{ inputs, lib, ... }:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+in
+
+{
+  services.unbound = {
+    enable = true;
+    enableRootTrustAnchor = true;
+    settings = {
+      server = {
+        interface = [
+          "0.0.0.0"
+          "::"
+        ];
+        access-control = [
+          "127.0.0.0/8 allow"
+          "192.168.0.0/16 allow"
+          "::1/128 allow"
+        ];
+
+        num-threads = 2;
+        msg-cache-size = "50m";
+        rrset-cache-size = "100m";
+        cache-min-ttl = 300;
+        cache-max-ttl = 86400;
+        prefetch = true;
+        prefetch-key = true;
+        hide-identity = true;
+        hide-version = true;
+        so-rcvbuf = "1m";
+        so-sndbuf = "1m";
+
+        # LAN-only DNS records
+        local-zone = ''"baduhai.dev." transparent'';
+        local-data = map (e: ''"${e.domain}. IN A ${e.lanIP}"'')
+          (lib.filter (e: e ? lanIP) utils.services);
+      };
+
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "1.1.1.1@853#cloudflare-dns.com"
+            "1.0.0.1@853#cloudflare-dns.com"
+          ];
+          forward-tls-upstream = true;
+        }
+      ];
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}

hosts/alexandria/vaultwarden.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts;
+in
+{
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://pass.baduhai.dev";
+      SIGNUPS_ALLOWED = false;
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 58222;
+    };
+  };
+
+  services.nginx.virtualHosts = mkNginxVHosts {
+    domains."pass.baduhai.dev".locations."/".proxyPass =
+      "http://${config.services.vaultwarden.config.ROCKET_ADDRESS}:${toString config.services.vaultwarden.config.ROCKET_PORT}/";
+  };
+}

hosts/io.nix

@@ -1,12 +0,0 @@
-{ ... }:
-
-{
-  networking.hostName = "io";
-
-  imports = [
-    ./modules/io
-    ./modules
-  ];
-
-  nix.nixPath = [ "nixos-config=${./io.nix}" ];
-}

hosts/io/disko.nix

@@ -0,0 +1,79 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.disko.nixosModules.default ];
+
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/disk/by-id/mmc-hDEaP3_0x1041b689";
+    content = {
+      type = "gpt";
+      partitions = {
+        ESP = {
+          priority = 1;
+          name = "ESP";
+          start = "1MiB";
+          end = "1GiB";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot/efi";
+            mountOptions = [
+              "noatime"
+              "fmask=0077"
+              "dmask=0077"
+            ];
+          };
+        };
+        cryptroot = {
+          priority = 2;
+          name = "root";
+          size = "100%";
+          content = {
+            type = "luks";
+            name = "cryptroot";
+            content = {
+              type = "btrfs";
+              extraArgs = [ "-f" ];
+              subvolumes = {
+                "@root" = {
+                  mountpoint = "/";
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                    "subvol=@root"
+                  ];
+                };
+                "@home" = {
+                  mountpoint = "/home";
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                    "subvol=@home"
+                  ];
+                };
+                "@nix" = {
+                  mountpoint = "/nix";
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                    "subvol=@nix"
+                  ];
+                };
+                "@persistent" = {
+                  mountpoint = "/persistent";
+                  mountOptions = [
+                    "noatime"
+                    "compress=zstd"
+                    "subvol=@persistent"
+                  ];
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/io/hardware-configuration.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   modulesPath,
+  inputs,
   ...
 }:
 

hosts/io/programs.nix

@@ -19,19 +19,9 @@ in
 {
   environment = {
     systemPackages = with pkgs; [
-      arduino-ide
-      esptool
-      # fritzing
       maliit-keyboard
       sof-firmware
     ];
     sessionVariables.ALSA_CONFIG_UCM2 = "${cml-ucm-conf}/share/alsa/ucm2";
   };
-
-  # TODO: remove once gmodena/nix-flatpak/issues/45 fixed
-  systemd.services."flatpak-managed-install" = {
-    serviceConfig = {
-      ExecStartPre = "${pkgs.coreutils}/bin/sleep 5";
-    };
-  };
 }

hosts/io/services.nix

@@ -1,3 +1,5 @@
+{ pkgs, ... }:
+
 {
   services = {
     keyd = {
@@ -46,5 +48,14 @@
         };
       };
     };
+    upower.enable = true;
+    power-profiles-daemon.enable = true;
+  };
+
+  # TODO: remove once gmodena/nix-flatpak/issues/45 fixed
+  systemd.services."flatpak-managed-install" = {
+    serviceConfig = {
+      ExecStartPre = "${pkgs.coreutils}/bin/sleep 5";
+    };
   };
 }

hosts/modules/ai.nix

@@ -0,0 +1,10 @@
+{ inputs, pkgs, ... }:
+
+{
+  environment.systemPackages = with inputs.nix-ai-tools.packages.${pkgs.system}; [
+    claude-desktop
+    claude-code
+    claudebox
+    opencode
+  ];
+}

hosts/modules/alexandria/default.nix

@@ -1,9 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./hardware-configuration.nix
-    ./services.nix
-    ./users.nix
-  ];
-}

hosts/modules/alexandria/networking.nix

@@ -1,16 +0,0 @@
-{
-  networking = {
-    firewall = {
-      allowedTCPPorts = [
-        80
-        443
-      ];
-      allowedUDPPorts = [ ];
-    };
-  };
-
-  boot.kernel.sysctl = {
-    "net.ipv4.ip_forward" = 1;
-    "net.ipv6.conf.all.forwarding" = 1;
-  };
-}

hosts/modules/alexandria/services.nix

@@ -1,225 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-let
-  ports = {
-    jellyfin = "8096";
-    librespeed = "8000";
-    radicale = "8001";
-    vaultwarden = "8002";
-  };
-  rclone-webdav-start = pkgs.writeShellScript "rclone-webdav-start.sh" ''
-    #!/bin/bash
-
-    # Configuration
-    CREDS_FILE="/run/agenix/webdav"
-    SERVE_DIR="/data/webdav"
-    SOCKET_PATH="/run/rclone-webdav/webdav.sock"
-
-    # Check if credentials file exists
-    if [ ! -f "$CREDS_FILE" ]; then
-      echo "Error: Credentials file $CREDS_FILE not found"
-      exit 1
-    fi
-
-    # Read credentials from file (format: username:password)
-    CREDENTIALS=$(cat "$CREDS_FILE")
-    USERNAME=$(echo "$CREDENTIALS" | cut -d':' -f1)
-    PASSWORD=$(echo "$CREDENTIALS" | cut -d':' -f2)
-
-    # Validate credentials
-    if [ -z "$USERNAME" ] || [ -z "$PASSWORD" ]; then
-      echo "Error: Invalid credentials format. Expected username:password"
-      exit 1
-    fi
-
-    # Ensure serve directory exists
-    mkdir -p "$SERVE_DIR"
-
-    # Remove existing socket if it exists
-    rm -f "$SOCKET_PATH"
-
-    # Start rclone serve webdav
-    exec ${pkgs.rclone}/bin/rclone serve webdav "$SERVE_DIR" \
-      --addr unix://"$SOCKET_PATH" \
-      --user "$USERNAME" \
-      --pass "$PASSWORD" \
-      --config="" \
-      --baseurl "/webdav" \
-      --verbose
-  '';
-in
-
-{
-  services = {
-    forgejo = {
-      enable = true;
-      repositoryRoot = "/data/forgejo";
-      settings = {
-        session.COOKIE_SECURE = true;
-        server = {
-          PROTOCOL = "http+unix";
-          DOMAIN = "git.baduhai.dev";
-          ROOT_URL = "https://git.baduhai.dev";
-          OFFLINE_MODE = true; # disable use of CDNs
-          SSH_DOMAIN = "baduhai.dev";
-        };
-        log.LEVEL = "Warn";
-        mailer.ENABLED = false;
-        actions.ENABLED = false;
-      };
-    };
-
-    jellyfin = {
-      enable = true;
-      openFirewall = true;
-    };
-
-    nginx = {
-      enable = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedProxySettings = true;
-      recommendedTlsSettings = true;
-      virtualHosts =
-        let
-          commonVHostConfig = {
-            useACMEHost = "baduhai.dev";
-            forceSSL = true;
-            kTLS = true;
-          };
-        in
-        lib.mapAttrs (_: lib.recursiveUpdate commonVHostConfig) {
-          "_".locations."/".return = "444";
-          "dav.baduhai.dev".locations = {
-            "/caldav" = {
-              proxyPass = "http://127.0.0.1:${ports.radicale}/";
-              extraConfig = ''
-                proxy_set_header X-Script-Name /caldav;
-                proxy_pass_header Authorization;
-              '';
-            };
-            "/webdav" = {
-              proxyPass = "http://unix:/run/rclone-webdav/webdav.sock:/webdav/";
-              extraConfig = ''
-                proxy_set_header X-Script-Name /webdav;
-                proxy_pass_header Authorization;
-                proxy_connect_timeout 300; # Increase timeouts for large file uploads
-                proxy_send_timeout 300;
-                proxy_read_timeout 300;
-                client_max_body_size 10G; # Allow large file uploads
-                proxy_buffering off; # Buffer settings for better performance
-                proxy_request_buffering off;
-              '';
-            };
-          };
-          "git.baduhai.dev".locations."/".proxyPass =
-            "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
-          "jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:${ports.jellyfin}/";
-          "pass.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:${ports.vaultwarden}/";
-          "speedtest.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:${ports.librespeed}/";
-        };
-    };
-
-    radicale = {
-      enable = true;
-      settings = {
-        server = {
-          hosts = [
-            "127.0.0.1:${ports.radicale}"
-            "[::]:${ports.radicale}"
-          ];
-        };
-        auth = {
-          type = "htpasswd";
-          htpasswd_filename = "/etc/radicale/users";
-          htpasswd_encryption = "bcrypt";
-        };
-      };
-    };
-
-    vaultwarden = {
-      enable = true;
-      config = {
-        DOMAIN = "https://pass.baduhai.dev";
-        SIGNUPS_ALLOWED = false;
-        ROCKET_ADDRESS = "127.0.0.1";
-        ROCKET_PORT = "${ports.vaultwarden}";
-      };
-    };
-  };
-
-  virtualisation.oci-containers.containers."librespeed" = {
-    image = "lscr.io/linuxserver/librespeed:latest";
-    environment = {
-      TZ = "America/Bahia";
-    };
-    ports = [ "${ports.librespeed}:80" ];
-    extraOptions = [
-      "--pull=newer"
-      "--label=io.containers.autoupdate=registry"
-    ];
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults = {
-      email = "baduhai@proton.me";
-      dnsResolver = "1.1.1.1:53";
-      dnsProvider = "cloudflare";
-      credentialsFile = config.age.secrets.cloudflare.path;
-    };
-    certs."baduhai.dev" = {
-      extraDomainNames = [ "*.baduhai.dev" ];
-    };
-  };
-
-  age.secrets = {
-    cloudflare = {
-      file = ../../../secrets/cloudflare.age;
-      owner = "nginx";
-      group = "nginx";
-    };
-    webdav = {
-      file = ../../../secrets/webdav.age;
-      owner = "user";
-      group = "users";
-    };
-  };
-
-  systemd.services = {
-    rclone-webdav = {
-      description = "RClone WebDAV Server";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-      serviceConfig = {
-        Type = "exec";
-        User = "user";
-        Group = "nginx";
-        ExecStart = "${rclone-webdav-start}";
-        Restart = "always";
-        RestartSec = "10";
-        NoNewPrivileges = true;
-        PrivateTmp = true;
-        ProtectSystem = "strict";
-        ProtectHome = true;
-        ReadWritePaths = [
-          "/data/webdav"
-          "/run"
-        ];
-        RuntimeDirectory = "rclone-webdav";
-        RuntimeDirectoryMode = "0750";
-        UMask = "0002";
-      };
-      preStart = ''
-        mkdir -p /data/webdav
-        chown user:users /data/webdav
-        chmod 755 /data/webdav
-      '';
-    };
-  };
-}

hosts/modules/alexandria/users.nix

@@ -1,3 +0,0 @@
-{
-  users.users.nginx.extraGroups = [ "acme" ];
-}

hosts/modules/bluetooth.nix

@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  hardware.bluetooth.enable = true;
+}

hosts/modules/boot.nix

@@ -1,61 +0,0 @@
-{
-  hostType,
-  lib,
-  pkgs,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-      boot = {
-        loader = {
-          timeout = 1;
-          efi.canTouchEfiVariables = true;
-          systemd-boot = {
-            enable = true;
-            editor = false;
-            consoleMode = "max";
-            sortKey = "aa";
-            netbootxyz = {
-              enable = true;
-              sortKey = "zz";
-            };
-          };
-        };
-      };
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-      boot.kernelPackages = pkgs.linuxPackages_hardened;
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-      boot = {
-        plymouth.enable = true;
-        initrd.systemd.enable = true;
-        loader.efi.efiSysMountPoint = "/boot/efi";
-        kernelPackages = pkgs.linuxPackages_xanmod;
-        extraModprobeConfig = ''
-          options bluetooth disable_ertm=1
-        '';
-        kernel.sysctl = {
-          "net.ipv4.tcp_mtu_probing" = 1;
-        };
-        kernelParams = [
-          "quiet"
-          "splash"
-          "i2c-dev"
-          "i2c-piix4"
-          "loglevel=3"
-          "udev.log_priority=3"
-          "rd.udev.log_level=3"
-          "rd.systemd.show_status=false"
-        ];
-      };
-    })
-  ];
-}

hosts/modules/common/boot.nix

@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+
+{
+  boot = {
+    loader = {
+      timeout = 1;
+      efi.canTouchEfiVariables = true;
+      systemd-boot = {
+        enable = true;
+        editor = false;
+        consoleMode = "max";
+        sortKey = "aa";
+        netbootxyz = {
+          enable = true;
+          sortKey = "zz";
+        };
+      };
+    };
+  };
+}

hosts/modules/common/console.nix

@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  console = {
+    useXkbConfig = true;
+    earlySetup = true;
+  };
+}

hosts/modules/common/firewall.nix

@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  networking = {
+    firewall.enable = true;
+    nftables.enable = true;
+  };
+}

hosts/modules/common/locale.nix

@@ -0,0 +1,21 @@
+{ ... }:
+
+{
+  time.timeZone = "America/Bahia";
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    extraLocaleSettings = {
+      LC_ADDRESS = "pt_BR.utf8";
+      LC_COLLATE = "pt_BR.utf8";
+      LC_IDENTIFICATION = "pt_BR.utf8";
+      LC_MEASUREMENT = "pt_BR.utf8";
+      LC_MONETARY = "pt_BR.utf8";
+      LC_NAME = "pt_BR.utf8";
+      LC_NUMERIC = "pt_BR.utf8";
+      LC_PAPER = "pt_BR.utf8";
+      LC_TELEPHONE = "pt_BR.utf8";
+      LC_TIME = "en_IE.utf8";
+    };
+  };
+}

hosts/modules/common/nix.nix

@@ -0,0 +1,38 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.nixos-cli.nixosModules.nixos-cli ];
+
+  nix = {
+    settings = {
+      auto-optimise-store = true;
+      connect-timeout = 10;
+      log-lines = 25;
+      min-free = 128000000;
+      max-free = 1000000000;
+      trusted-users = [ "@wheel" ];
+    };
+    extraOptions = "experimental-features = nix-command flakes";
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 8d";
+    };
+  };
+
+  nixpkgs.config = {
+    allowUnfree = true;
+    enableParallelBuilding = true;
+    buildManPages = false;
+    buildDocs = false;
+  };
+
+  services.nixos-cli = {
+    enable = true;
+    config = {
+      use_nvd = true;
+      ignore_dirty_tree = true;
+    };
+  };
+
+  system.stateVersion = "22.11";
+}

hosts/modules/common/openssh.nix

@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+  services.openssh = {
+    enable = true;
+    settings.PermitRootLogin = "no";
+    extraConfig = ''
+      PrintLastLog no
+    '';
+  };
+}

hosts/modules/common/programs.nix

@@ -0,0 +1,40 @@
+{ lib, pkgs, ... }:
+
+{
+  environment = {
+    systemPackages = with pkgs; [
+      ### Dev Tools ###
+      git
+      ### System Utilities ###
+      btop
+      fastfetch
+      helix
+      nixos-firewall-tool
+      nvd
+      sysz
+      tmux
+      wget
+      yazi
+    ];
+    shellAliases = {
+      cat = "${lib.getExe pkgs.bat} --paging=never --style=plain";
+      ls = "${lib.getExe pkgs.eza} --icons --group-directories-first";
+      tree = "ls --tree";
+    };
+  };
+
+  programs = {
+    command-not-found.enable = false;
+    fish = {
+      enable = true;
+      interactiveShellInit = ''
+        set fish_greeting
+        if set -q SSH_CONNECTION
+          export TERM=xterm-256color
+          clear
+          fastfetch
+        end
+      '';
+    };
+  };
+}

hosts/modules/common/security.nix

@@ -0,0 +1,13 @@
+{ ... }:
+
+{
+  security = {
+    unprivilegedUsernsClone = true; # Needed for rootless podman
+    sudo = {
+      wheelNeedsPassword = false;
+      extraConfig = ''
+        Defaults lecture = never
+      '';
+    };
+  };
+}

hosts/modules/common/services.nix

@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  services = {
+    dbus.implementation = "broker";
+    irqbalance.enable = true;
+    fstrim.enable = true;
+  };
+}

hosts/modules/common/tailscale.nix

@@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  services.tailscale = {
+    enable = true;
+    extraUpFlags = [ "--operator=user" ];
+  };
+}

hosts/modules/common/users.nix

@@ -0,0 +1,24 @@
+{ pkgs, ... }:
+
+{
+  users.users = {
+    user = {
+      isNormalUser = true;
+      shell = pkgs.fish;
+      extraGroups = [
+        "networkmanager"
+        "wheel"
+      ];
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQPkAyy+Du9Omc2WtnUF2TV8jFAF4H6mJi2D4IZ1nzg user@himalia"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
+      ];
+      hashedPassword = "$6$Pj7v/CpstyuWQQV0$cNujVDhfMBdwlGVEnnd8t71.kZPixbo0u25cd.874iaqLTH4V5fa1f98V5zGapjQCz5JyZmsR94xi00sUrntT0";
+    };
+    root = {
+      shell = pkgs.fish;
+      hashedPassword = "!";
+    };
+  };
+}

hosts/modules/console.nix

@@ -1,21 +0,0 @@
-{ hostType, lib, ... }:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-      console = {
-        useXkbConfig = true;
-        earlySetup = true;
-      };
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-    })
-  ];
-}

hosts/modules/default.nix

@@ -1,20 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./boot.nix
-    ./console.nix
-    ./desktop.nix
-    ./ephermal.nix
-    ./impermanence.nix
-    ./locale.nix
-    ./networking.nix
-    ./nix.nix
-    ./programs.nix
-    ./security.nix
-    ./services.nix
-    ./stylix.nix
-    ./users.nix
-    ./virtualisation.nix
-  ];
-}

hosts/modules/desktop.nix

@@ -1,66 +0,0 @@
-{
-  hostType,
-  lib,
-  pkgs,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-      services = {
-        displayManager = {
-          autoLogin = {
-            enable = true;
-            user = "user";
-          };
-          sddm = {
-            enable = true;
-            wayland = {
-              enable = true;
-              compositor = "kwin";
-            };
-          };
-        };
-        desktopManager.plasma6.enable = true;
-        pipewire = {
-          enable = true;
-          alsa.enable = true;
-          alsa.support32Bit = true;
-          pulse.enable = true;
-          jack.enable = true;
-          wireplumber.enable = true;
-        };
-      };
-
-      hardware = {
-        xpadneo.enable = true;
-        bluetooth.enable = true;
-        steam-hardware.enable = true; # Allow steam client to manage controllers
-        graphics.enable32Bit = true; # For OpenGL games
-        i2c.enable = true;
-      };
-
-      security.rtkit.enable = true; # Needed for pipewire to acquire realtime priority
-
-      xdg.portal = {
-        enable = true;
-        xdgOpenUsePortal = true;
-        extraPortals = with pkgs; [
-          kdePackages.xdg-desktop-portal-kde
-          xdg-desktop-portal-gtk
-          xdg-desktop-portal-gnome
-        ];
-      };
-    })
-  ];
-}

hosts/modules/desktop/boot.nix

@@ -0,0 +1,26 @@
+{ pkgs, ... }:
+
+{
+  boot = {
+    plymouth.enable = true;
+    initrd.systemd.enable = true;
+    loader.efi.efiSysMountPoint = "/boot/efi";
+    kernelPackages = pkgs.linuxPackages_xanmod_latest;
+    extraModprobeConfig = ''
+      options bluetooth disable_ertm=1
+    '';
+    kernel.sysctl = {
+      "net.ipv4.tcp_mtu_probing" = 1;
+    };
+    kernelParams = [
+      "quiet"
+      "splash"
+      "i2c-dev"
+      "i2c-piix4"
+      "loglevel=3"
+      "udev.log_priority=3"
+      "rd.udev.log_level=3"
+      "rd.systemd.show_status=false"
+    ];
+  };
+}

hosts/modules/desktop/desktop.nix

@@ -0,0 +1,163 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    inputs.niri-flake.nixosModules.niri
+    inputs.nix-flatpak.nixosModules.nix-flatpak
+  ];
+
+  environment = {
+    sessionVariables = {
+      KDEHOME = "$XDG_CONFIG_HOME/kde4"; # Stops kde from placing a .kde4 folder in the home dir
+      NIXOS_OZONE_WL = "1"; # Forces chromium and most electron apps to run in wayland
+    };
+    systemPackages = with pkgs; [
+      ### Web ###
+      bitwarden-desktop
+      fragments
+      nextcloud-client
+      tor-browser
+      vesktop
+      inputs.zen-browser.packages."${system}".default
+      ### Office & Productivity ###
+      aspell
+      aspellDicts.de
+      aspellDicts.en
+      aspellDicts.en-computers
+      aspellDicts.pt_BR
+      libreoffice
+      onlyoffice-desktopeditors
+      papers
+      presenterm
+      rnote
+      ### Graphics & Design ###
+      gimp
+      inkscape
+      plasticity
+      ### System Utilities ###
+      adwaita-icon-theme
+      ghostty
+      gnome-disk-utility
+      junction
+      libfido2
+      mission-center
+      nautilus
+      p7zip
+      rclone
+      toggleaudiosink
+      unrar
+      ### Media ###
+      decibels
+      loupe
+      obs-studio
+      showtime
+    ];
+  };
+
+  services = {
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      jack.enable = true;
+      wireplumber.enable = true;
+    };
+    greetd = {
+      enable = true;
+      settings = {
+        default_session = {
+          command = "${lib.getExe pkgs.tuigreet} --user-menu --time --remember --asterisks --cmd ${config.programs.niri.package}/bin/niri-session";
+          user = "greeter";
+        };
+      }
+      // lib.optionalAttrs (config.networking.hostName == "io") {
+        initial_session = {
+          command = "${config.programs.niri.package}/bin/niri-session";
+          user = "user";
+        };
+      };
+    };
+    flatpak = {
+      enable = true;
+      packages = [
+        ### Graphics & Design ###
+        "com.boxy_svg.BoxySVG"
+        rec {
+          appId = "io.github.softfever.OrcaSlicer";
+          sha256 = "0hdx5sg6fknj1pfnfxvlfwb5h6y1vjr6fyajbsnjph5gkp97c6p1";
+          bundle = "${pkgs.fetchurl {
+            url = "https://github.com/SoftFever/OrcaSlicer/releases/download/v2.3.0/OrcaSlicer-Linux-flatpak_V2.3.0_x86_64.flatpak";
+            inherit sha256;
+          }}";
+        }
+        ### System Utilities ###
+        "com.github.tchx84.Flatseal"
+        "com.rustdesk.RustDesk"
+      ];
+      uninstallUnmanaged = true;
+      update.auto.enable = true;
+    };
+    gvfs.enable = true;
+  };
+
+  security.rtkit.enable = true; # Needed for pipewire to acquire realtime priority
+
+  users = {
+    users.greeter = {
+      isSystemUser = true;
+      group = "greeter";
+    };
+    groups.greeter = { };
+  };
+
+  programs = {
+    niri = {
+      enable = true;
+      package = inputs.niri.packages.${pkgs.system}.niri;
+    };
+    kdeconnect = {
+      enable = true;
+      package = pkgs.valent;
+    };
+    dconf.enable = true;
+    appimage = {
+      enable = true;
+      binfmt = true;
+    };
+  };
+
+  niri-flake.cache.enable = false;
+
+  fonts = {
+    fontDir.enable = true;
+    packages = with pkgs; [
+      corefonts
+      inter
+      nerd-fonts.fira-code
+      noto-fonts-cjk-sans
+      noto-fonts-color-emoji
+      roboto
+    ];
+  };
+
+  xdg.portal = {
+    extraPortals = with pkgs; [
+      xdg-desktop-portal-gnome
+      xdg-desktop-portal-gtk
+    ];
+    config = {
+      common.default = "*";
+      niri.default = [
+        "gtk"
+        "gnome"
+      ];
+    };
+  };
+}

hosts/modules/desktop/nix.nix

@@ -0,0 +1,13 @@
+{ inputs, ... }:
+
+{
+  environment.etc."channels/nixpkgs".source = inputs.nixpkgs.outPath;
+
+  nix = {
+    registry.nixpkgs.flake = inputs.nixpkgs;
+    nixPath = [
+      "nixpkgs=${inputs.nixpkgs}"
+      "/nix/var/nix/profiles/per-user/root/channels"
+    ];
+  };
+}

hosts/modules/desktop/services.nix

@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+
+{
+  services = {
+    printing.enable = true;
+    udev.packages = with pkgs; [ yubikey-personalization ];
+    keyd = {
+      enable = true;
+      keyboards.all = {
+        ids = [ "*" ];
+        settings.main.capslock = "overload(meta, esc)";
+      };
+    };
+  };
+}

hosts/modules/dev.nix

@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    bat
+    lazygit
+    fd
+    fzf
+    glow
+    nixfmt-rfc-style
+    nix-init
+    nix-output-monitor
+    ripgrep
+  ];
+
+  programs.adb.enable = true;
+
+  users.users.user.extraGroups = [ "adbusers" ];
+}

hosts/modules/environment.nix

@@ -1,4 +0,0 @@
-{ pkgs, ... }:
-
-{
-}

hosts/modules/ephemeral.nix

@@ -0,0 +1,41 @@
+{ config, inputs, ... }:
+
+{
+  imports = [
+    inputs.impermanence.nixosModules.impermanence
+    inputs.self.nixosModules.ephemeral
+  ];
+
+  ephemeral = {
+    enable = true;
+    rootDevice =
+      if config.networking.hostName == "trantor" then
+        "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20-part2"
+      else
+        "/dev/mapper/cryptroot";
+    rootSubvolume = "@root";
+  };
+
+  environment.persistence.main = {
+    persistentStoragePath = "/persistent";
+    files = [
+      "/etc/machine-id"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+    ];
+    directories = [
+      "/etc/NetworkManager/system-connections"
+      "/etc/nixos"
+      "/var/lib/bluetooth"
+      "/var/lib/flatpak"
+      "/var/lib/lxd"
+      "/var/lib/nixos"
+      "/var/lib/systemd/coredump"
+      "/var/lib/systemd/timers"
+      "/var/lib/tailscale"
+      "/var/log"
+    ];
+  };
+}

hosts/modules/ephermal.nix

@@ -1,64 +0,0 @@
-{
-  hostType,
-  lib,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-      boot.initrd.systemd.services.recreate-root = {
-        description = "Rolling over and creating new filesystem root";
-        requires = [ "initrd-root-device.target" ];
-        after = [
-          "local-fs-pre.target"
-          "initrd-root-device.target"
-        ];
-        requiredBy = [ "initrd-root-fs.target" ];
-        before = [ "sysroot.mount" ];
-        unitConfig = {
-          AssertPathExists = "/etc/initrd-release";
-          DefaultDependencies = false;
-        };
-        serviceConfig = {
-          Type = "oneshot";
-          RemainAfterExit = true;
-        };
-        script = ''
-          mkdir /btrfs_tmp
-          mount /dev/mapper/cryptroot /btrfs_tmp
-
-          if [[ -e /btrfs_tmp/@root ]]; then
-            mkdir -p /btrfs_tmp/old_roots
-            timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/@root)" "+%Y-%m-%-d_%H:%M:%S")
-            mv /btrfs_tmp/@root "/btrfs_tmp/old_roots/$timestamp"
-          fi
-
-          delete_subvolume_recursively() {
-            IFS=$'\n'
-            for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
-               delete_subvolume_recursively "/btrfs_tmp/$i"
-            done
-            btrfs subvolume delete "$1"
-          }
-
-          for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
-            delete_subvolume_recursively "$i"
-          done
-
-          btrfs subvolume create /btrfs_tmp/@root
-          umount /btrfs_tmp
-        '';
-      };
-    })
-  ];
-}

hosts/modules/fwupd.nix

@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  services.fwupd.enable = true;
+}

hosts/modules/gaming.nix

@@ -0,0 +1,35 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    clonehero
+    heroic
+    mangohud
+    prismlauncher
+    steam-run
+  ];
+
+  programs = {
+    steam = {
+      enable = true;
+      extraCompatPackages = [ pkgs.proton-ge-bin ];
+    };
+    gamemode.enable = true;
+  };
+
+  hardware = {
+    xpadneo.enable = true;
+    steam-hardware.enable = true; # Allow steam client to manage controllers
+    graphics.enable32Bit = true; # For OpenGL games
+  };
+
+  services.flatpak.packages = [
+    "com.github.k4zmu2a.spacecadetpinball"
+    "com.steamgriddb.SGDBoop"
+    "io.github.Foldex.AdwSteamGtk"
+    "io.itch.itch"
+    "io.mrarm.mcpelauncher"
+    "net.retrodeck.retrodeck"
+    "org.freedesktop.Platform.VulkanLayer.MangoHud/x86_64/24.08"
+  ];
+}

hosts/modules/impermanence.nix

@@ -1,42 +0,0 @@
-{
-  hostType,
-  lib,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-      environment.persistence.main = {
-        persistentStoragePath = "/persistent";
-        files = [
-          "/etc/machine-id"
-          "/etc/ssh/ssh_host_ed25519_key"
-          "/etc/ssh/ssh_host_ed25519_key.pub"
-          "/etc/ssh/ssh_host_rsa_key"
-          "/etc/ssh/ssh_host_rsa_key.pub"
-        ];
-        directories = [
-          "/etc/NetworkManager/system-connections"
-          "/etc/nixos"
-          "/var/lib/bluetooth"
-          "/var/lib/flatpak"
-          "/var/lib/nixos"
-          "/var/lib/systemd/coredump"
-          "/var/lib/systemd/timers"
-          "/var/lib/tailscale"
-          "/var/log"
-        ];
-      };
-    })
-  ];
-}

hosts/modules/io/default.nix

@@ -1,11 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./boot.nix
-    ./disko.nix
-    ./hardware-configuration.nix
-    ./programs.nix
-    ./services.nix
-  ];
-}

hosts/modules/io/disko.nix

@@ -1,81 +0,0 @@
-{ ... }:
-
-{
-  disko.devices = {
-    disk = {
-      main = {
-        type = "disk";
-        device = "/dev/disk/by-id/mmc-hDEaP3_0x1041b689";
-        content = {
-          type = "gpt";
-          partitions = {
-            ESP = {
-              priority = 1;
-              name = "ESP";
-              start = "1MiB";
-              end = "1GiB";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot/efi";
-                mountOptions = [
-                  "noatime"
-                  "fmask=0077"
-                  "dmask=0077"
-                ];
-              };
-            };
-            cryptroot = {
-              priority = 2;
-              name = "root";
-              size = "100%";
-              content = {
-                type = "luks";
-                name = "cryptroot";
-                content = {
-                  type = "btrfs";
-                  extraArgs = [ "-f" ];
-                  subvolumes = {
-                    "@root" = {
-                      mountpoint = "/";
-                      mountOptions = [
-                        "noatime"
-                        "compress=zstd"
-                        "subvol=@root"
-                      ];
-                    };
-                    "@home" = {
-                      mountpoint = "/home";
-                      mountOptions = [
-                        "noatime"
-                        "compress=zstd"
-                        "subvol=@home"
-                      ];
-                    };
-                    "@nix" = {
-                      mountpoint = "/nix";
-                      mountOptions = [
-                        "noatime"
-                        "compress=zstd"
-                        "subvol=@nix"
-                      ];
-                    };
-                    "@persistent" = {
-                      mountpoint = "/persistent";
-                      mountOptions = [
-                        "noatime"
-                        "compress=zstd"
-                        "subvol=@persistent"
-                      ];
-                    };
-                  };
-                };
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/modules/libvirtd.nix

@@ -0,0 +1,12 @@
+{ ... }:
+
+{
+  virtualisation.libvirtd.enable = true;
+
+  programs.virt-manager.enable = true;
+
+  users.users.user.extraGroups = [
+    "libvirt"
+    "libvirtd"
+  ];
+}

hosts/modules/locale.nix

@@ -1,33 +0,0 @@
-{ hostType, lib, ... }:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-      time.timeZone = "America/Bahia";
-
-      i18n = {
-        defaultLocale = "en_US.UTF-8";
-        extraLocaleSettings = {
-          LC_ADDRESS = "pt_BR.utf8";
-          LC_IDENTIFICATION = "pt_BR.utf8";
-          LC_MEASUREMENT = "pt_BR.utf8";
-          LC_MONETARY = "pt_BR.utf8";
-          LC_NAME = "pt_BR.utf8";
-          LC_NUMERIC = "pt_BR.utf8";
-          LC_PAPER = "pt_BR.utf8";
-          LC_TELEPHONE = "pt_BR.utf8";
-          LC_TIME = "en_IE.utf8";
-        };
-      };
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-    })
-  ];
-}

hosts/modules/networking.nix

@@ -1,29 +0,0 @@
-{
-  hostType,
-  lib,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-      networking = {
-        networkmanager.enable = true;
-        firewall.enable = true;
-      };
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-      services.tailscale = {
-        extraSetFlags = [ "--advertise-exit-node" ];
-        useRoutingFeatures = "server";
-      };
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-    })
-  ];
-}

hosts/modules/networkmanager.nix

@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  networking.networkmanager = {
+    enable = true;
+    wifi.backend = "iwd";
+  };
+
+  users.users.user.extraGroups = [ "networkmanager" ];
+}

hosts/modules/nix.nix

@@ -1,64 +0,0 @@
-{
-  inputs,
-  lib,
-  hostType,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-      nix = {
-        settings = {
-          auto-optimise-store = true;
-          connect-timeout = 10;
-          log-lines = 25;
-          min-free = 128000000;
-          max-free = 1000000000;
-          trusted-users = [ "@wheel" ];
-        };
-        extraOptions = "experimental-features = nix-command flakes";
-        gc = {
-          automatic = true;
-          options = "--delete-older-than 8d";
-        };
-      };
-
-      nixpkgs.config = {
-        allowUnfree = true;
-        enableParallelBuilding = true;
-        buildManPages = false;
-        buildDocs = false;
-      };
-
-      system.stateVersion = "22.11";
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-      environment.etc."channels/nixpkgs".source = inputs.nixpkgs-stable.outPath;
-
-      nix = {
-        registry.nixpkgs.flake = inputs.nixpkgs-stable;
-        nixPath = [
-          "nixpkgs=/etc/channels/nixpkgs"
-          "/nix/var/nix/profiles/per-user/root/channels"
-        ];
-      };
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-      environment.etc."channels/nixpkgs".source = inputs.nixpkgs.outPath;
-
-      nix = {
-        registry.nixpkgs.flake = inputs.nixpkgs;
-        nixPath = [
-          "nixpkgs=${inputs.nixpkgs}"
-          "/nix/var/nix/profiles/per-user/root/channels"
-        ];
-      };
-    })
-  ];
-}

hosts/modules/podman.nix

@@ -0,0 +1,14 @@
+{ pkgs, ... }:
+
+{
+  virtualisation.podman = {
+    enable = true;
+    autoPrune.enable = true;
+    extraPackages = [ pkgs.podman-compose ];
+  };
+
+  systemd = {
+    services.podman-auto-update.enable = true;
+    timers.podman-auto-update.enable = true;
+  };
+}

hosts/modules/programs.nix

@@ -1,206 +0,0 @@
-{
-  hostType,
-  lib,
-  pkgs,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-      environment = {
-        systemPackages = with pkgs; [
-          ### Dev Tools ###
-          agenix
-          git
-          evil-helix
-          ### System Utilities ###
-          btop
-          nixos-firewall-tool
-          nvd
-          sysz
-          tmux
-          wget
-        ];
-        shellAliases = {
-          ls = "${pkgs.eza}/bin/eza --icons --group-directories-first";
-          neofetch = "${pkgs.fastfetch}/bin/fastfetch";
-          tree = "ls --tree";
-          syscleanup = "sudo nix-collect-garbage -d; sudo /run/current-system/bin/switch-to-configuration boot";
-        };
-      };
-
-      programs = {
-        fish.enable = true;
-        command-not-found.enable = false;
-      };
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation (
-      let
-        kdepkgs = with pkgs.kdePackages; [
-          ark
-          dolphin-plugins
-          kolourpaint
-        ];
-        kwrite = pkgs.symlinkJoin {
-          name = "kwrite";
-          paths = [ pkgs.kdePackages.kate ];
-          postBuild = ''
-            rm -rf $out/bin/kate \
-                   $out/bin/.kate-wrapped \
-                   $out/share/applications/org.kde.kate.desktop \
-                   $out/share/man \
-                   $out/share/icons/hicolor/*/apps/kate.png \
-                   $out/share/icons/hicolor/scalable/apps/kate.svg \
-                   $out/share/appdata/org.kde.kate.appdata.xml
-          '';
-        };
-      in
-      {
-        environment = {
-          systemPackages =
-            with pkgs;
-            [
-              ### Dev Tools ###
-              bat
-              ciscoPacketTracer8
-              claude-code
-              fd
-              fzf
-              nixfmt-rfc-style
-              nix-init
-              nix-output-monitor
-              ripgrep
-              ### Internet Browsers & Communication ###
-              beeper
-              brave
-              tor-browser
-              vesktop
-              ### Office & Productivity ###
-              aspell
-              aspellDicts.de
-              aspellDicts.en
-              aspellDicts.en-computers
-              aspellDicts.pt_BR
-              kwrite
-              libreoffice-qt
-              obsidian
-              onlyoffice-desktopeditors
-              rnote
-              ### Graphics & Design ###
-              gimp
-              inkscape
-              plasticity
-              ### Gaming & Entertainment ###
-              clonehero
-              heroic
-              mangohud
-              prismlauncher
-              protonup
-              ### System Utilities ###
-              adwaita-icon-theme
-              junction
-              kara
-              kde-rounded-corners
-              libfido2
-              mission-center
-              p7zip
-              qbittorrent
-              quickemu
-              quickgui
-              rclone
-              steam-run
-              toggleaudiosink
-              unrar
-              ### Media ###
-              mpv
-              obs-studio
-              qview
-            ]
-            ++ kdepkgs;
-          plasma6.excludePackages = with pkgs.kdePackages; [
-            discover
-            elisa
-            gwenview
-            kate
-            khelpcenter
-            konsole
-            oxygen
-          ];
-        };
-
-        programs = {
-          adb.enable = true;
-          steam = {
-            enable = true;
-            extraCompatPackages = [ pkgs.proton-ge-bin ];
-          };
-          dconf.enable = true;
-          nix-ld.enable = true;
-          kdeconnect.enable = true;
-          partition-manager.enable = true;
-          gamemode.enable = true;
-          appimage = {
-            enable = true;
-            binfmt = true;
-          };
-          nh = {
-            enable = true;
-            flake = "/home/user/Projects/personal/nix-config";
-          };
-        };
-
-        fonts = {
-          fontDir.enable = true;
-          packages = with pkgs; [
-            corefonts
-            inter
-            nerd-fonts.hack
-            noto-fonts-cjk-sans
-            roboto
-          ];
-        };
-
-        services.flatpak = {
-          enable = true;
-          packages = [
-            ### Dev Tools ###
-            ### Internet Browsers & Communication ###
-            "app.zen_browser.zen"
-            ### Office & Productivity ###
-            ### Graphics & Design ###
-            "com.boxy_svg.BoxySVG"
-            rec {
-              appId = "io.github.softfever.OrcaSlicer";
-              sha256 = "0hdx5sg6fknj1pfnfxvlfwb5h6y1vjr6fyajbsnjph5gkp97c6p1";
-              bundle = "${pkgs.fetchurl {
-                url = "https://github.com/SoftFever/OrcaSlicer/releases/download/v2.3.0/OrcaSlicer-Linux-flatpak_V2.3.0_x86_64.flatpak";
-                inherit sha256;
-              }}";
-            }
-            ### Gaming & Entertainment ###
-            "com.github.k4zmu2a.spacecadetpinball"
-            "io.itch.itch"
-            "io.mrarm.mcpelauncher"
-            "org.freedesktop.Platform.VulkanLayer.MangoHud/x86_64/24.08"
-            ### System Utilities ###
-            "com.github.tchx84.Flatseal"
-            "com.rustdesk.RustDesk"
-            "com.steamgriddb.SGDBoop"
-            "io.github.Foldex.AdwSteamGtk"
-            ### Media ###
-          ];
-          uninstallUnmanaged = true;
-          update.auto.enable = true;
-        };
-      }
-    ))
-  ];
-}

hosts/modules/rotterdam/default.nix

@@ -1,11 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./boot.nix
-    ./hardware-configuration.nix
-    ./hardware.nix
-    ./programs.nix
-    ./services.nix
-  ];
-}

hosts/modules/security.nix

@@ -1,26 +0,0 @@
-{ hostType, lib, ... }:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-      security = {
-        unprivilegedUsernsClone = true; # Needed for rootless podman
-        sudo = {
-          wheelNeedsPassword = false;
-          extraConfig = ''
-            Defaults lecture = never
-          '';
-        };
-      };
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-    })
-  ];
-}

hosts/modules/server/boot.nix

@@ -0,0 +1,5 @@
+{ pkgs, ... }:
+
+{
+  boot.kernelPackages = pkgs.linuxPackages_hardened;
+}

hosts/modules/server/nix.nix

@@ -0,0 +1,13 @@
+{ inputs, ... }:
+
+{
+  environment.etc."channels/nixpkgs".source = inputs.nixpkgs-stable.outPath;
+
+  nix = {
+    registry.nixpkgs.flake = inputs.nixpkgs-stable;
+    nixPath = [
+      "nixpkgs=/etc/channels/nixpkgs"
+      "/nix/var/nix/profiles/per-user/root/channels"
+    ];
+  };
+}

hosts/modules/server/tailscale.nix

@@ -0,0 +1,13 @@
+{ ... }:
+
+{
+  services.tailscale = {
+    extraSetFlags = [ "--advertise-exit-node" ];
+    useRoutingFeatures = "server";
+  };
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    "net.ipv6.conf.all.forwarding" = 1;
+  };
+}

hosts/modules/services.nix

@@ -1,52 +0,0 @@
-{
-  hostType,
-  lib,
-  pkgs,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-      services = {
-        tailscale = {
-          enable = true;
-          extraUpFlags = [ "--operator=user" ];
-        };
-        openssh = {
-          enable = true;
-          settings.PermitRootLogin = "no";
-        };
-        nixos-cli = {
-          enable = true;
-          config = {
-            use_nvd = true;
-            ignore_dirty_tree = true;
-          };
-        };
-        fwupd.enable = true;
-        fstrim.enable = true;
-      };
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-      services = {
-        printing.enable = true;
-        udev.packages = with pkgs; [ yubikey-personalization ];
-        keyd = {
-          enable = true;
-          keyboards.all = {
-            ids = [ "*" ];
-            settings.main.capslock = "overload(meta, esc)";
-          };
-        };
-      };
-    })
-  ];
-}

hosts/modules/stylix.nix

@@ -1,63 +0,0 @@
-{
-  config,
-  hostType,
-  lib,
-  pkgs,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-      stylix = {
-        enable = true;
-        polarity = "dark";
-        base16Scheme = "${pkgs.base16-schemes}/share/themes/catppuccin-mocha.yaml";
-        cursor = {
-          package = pkgs.kdePackages.breeze-icons;
-          name = "Breeze_Light";
-          size = 24;
-        };
-        opacity = {
-          applications = 1.0;
-          desktop = 0.8;
-          popups = config.stylix.opacity.desktop;
-          terminal = 1.0;
-        };
-        fonts = {
-          serif = {
-            package = pkgs.source-serif;
-            name = "Source Serif 4 Display";
-          };
-          sansSerif = {
-            package = pkgs.inter;
-            name = "Inter";
-          };
-          monospace = {
-            package = pkgs.nerd-fonts.fira-code;
-            name = "FiraCode Nerd Font";
-          };
-          emoji = {
-            package = pkgs.noto-fonts-emoji;
-            name = "Noto Color Emoji";
-          };
-          sizes = {
-            applications = 11;
-            desktop = config.stylix.fonts.sizes.applications;
-            popups = config.stylix.fonts.sizes.applications;
-            terminal = 12;
-          };
-        };
-      };
-    })
-  ];
-}

hosts/modules/trantor/boot.nix

@@ -1,7 +0,0 @@
-{
-  boot = {
-    loader.efi.efiSysMountPoint = "/boot";
-    initrd.systemd.enable = true;
-    kernel.sysctl."net.ipv4.ip_forward" = 1;
-  };
-}

hosts/modules/trantor/default.nix

@@ -1,10 +0,0 @@
-{ ... }:
-
-{
-  imports = [
-    ./boot.nix
-    ./disko.nix
-    ./hardware-configuration.nix
-    ./networking.nix
-  ];
-}

hosts/modules/trantor/disko.nix

@@ -1,34 +0,0 @@
-{ ... }:
-
-{
-  disko.devices = {
-    disk = {
-      main = {
-        type = "disk";
-        device = "/dev/disk/by-id/scsi-3605e4addb4c640319c8c03436205530b";
-        content = {
-          type = "gpt";
-          partitions = {
-            boot = {
-              size = "512M";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-              };
-            };
-            root = {
-              size = "100%";
-              content = {
-                type = "filesystem";
-                format = "ext4";
-                mountpoint = "/";
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}

hosts/modules/trantor/hardware-configuration.nix

@@ -1,27 +0,0 @@
-{
-  lib,
-  modulesPath,
-  ...
-}:
-
-{
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-
-  boot = {
-    kernelModules = [ ];
-    extraModulePackages = [ ];
-    initrd = {
-      availableKernelModules = [
-        "xhci_pci"
-        "virtio_pci"
-        "virtio_scsi"
-        "usbhid"
-      ];
-      kernelModules = [ ];
-    };
-  };
-
-  networking.useDHCP = lib.mkDefault true;
-
-  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-}

hosts/modules/users.nix

@@ -1,85 +0,0 @@
-{
-  hostType,
-  inputs,
-  lib,
-  pkgs,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-      users.users = {
-        user = {
-          isNormalUser = true;
-          shell = pkgs.fish;
-          extraGroups = [
-            "networkmanager"
-            "docker"
-            "wheel"
-          ];
-          openssh.authorizedKeys.keys = [
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA1v3+q3EaruiiStWjubEJWvtejam/r41uoOpCdwJtLL user@rotterdam"
-            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO3Y0PVpGfJHonqDS7qoCFhqzUvqGq9I9sax+F9e/5cs user@io"
-          ];
-          hashedPassword = "$6$Pj7v/CpstyuWQQV0$cNujVDhfMBdwlGVEnnd8t71.kZPixbo0u25cd.874iaqLTH4V5fa1f98V5zGapjQCz5JyZmsR94xi00sUrntT0";
-        };
-        root = {
-          shell = pkgs.fish;
-          hashedPassword = "!";
-        };
-      };
-
-      home-manager = {
-        useGlobalPkgs = true;
-        useUserPackages = true;
-        backupFileExtension = "bkp";
-        users = {
-          user = import ../../users/user.nix;
-          root = import ../../users/root.nix;
-        };
-        sharedModules = [
-          inputs.nixvim.homeModules.nixvim
-        ];
-        extraSpecialArgs = {
-          inherit hostType;
-          inherit inputs;
-        };
-      };
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-      environment.sessionVariables = {
-        KDEHOME = "$XDG_CONFIG_HOME/kde4"; # Stops kde from placing a .kde4 folder in the home dir
-        NIXOS_OZONE_WL = "1"; # Forces chromium and most electron apps to run in wayland
-      };
-
-      users.users = {
-        user = {
-          description = "William";
-          uid = 1000;
-          extraGroups = [
-            "uaccess" # Needed for HID dev
-            "dialout" # Needed for arduino dev
-            "libvirt"
-            "libvirtd"
-            "adbusers"
-            "i2c"
-          ];
-        };
-        ewans = {
-          description = "Ewans";
-          isNormalUser = true;
-          uid = 1001;
-          hashedPassword = "$y$j9T$yHLUDvj6bDIP19dchU.aA/$OY4qeFNtx/GvI.VUYx4LapHiiVwi0MEvs8AT0HN7j58";
-        };
-      };
-    })
-  ];
-}

hosts/modules/virtualisation.nix

@@ -1,38 +0,0 @@
-{
-  hostType,
-  lib,
-  pkgs,
-  ...
-}:
-
-{
-  config = lib.mkMerge [
-    # Common configuration
-    {
-      virtualisation.podman = {
-        enable = true;
-        dockerCompat = true;
-        autoPrune.enable = true;
-        extraPackages = [ pkgs.podman-compose ];
-      };
-
-      systemd = {
-        services.podman-auto-update.enable = true;
-        timers.podman-auto-update.enable = true;
-      };
-
-    }
-
-    # Server specific configuration
-    (lib.mkIf hostType.isServer {
-    })
-
-    # Workstation specific configuration
-    (lib.mkIf hostType.isWorkstation {
-      virtualisation = {
-        libvirtd.enable = true;
-        lxd.enable = true;
-      };
-    })
-  ];
-}

hosts/rotterdam.nix

@@ -1,12 +0,0 @@
-{ ... }:
-
-{
-  networking.hostName = "rotterdam";
-
-  imports = [
-    ./modules/rotterdam
-    ./modules
-  ];
-
-  nix.nixPath = [ "nixos-config=${./rotterdam.nix}" ];
-}

hosts/rotterdam/hardware.nix

@@ -2,10 +2,7 @@
 
 {
   hardware = {
-    amdgpu = {
+    amdgpu.opencl.enable = true;
-      opencl.enable = true;
-      amdvlk.enable = true;
-    };
     graphics.extraPackages = with pkgs; [ rocmPackages.clr.icd ];
   };
 }

hosts/rotterdam/programs.nix

@@ -27,7 +27,5 @@ in
 {
   environment.systemPackages = [ reboot-into-qubes ];
 
-  services.flatpak.packages = [ "net.retrodeck.retrodeck" ];
-
   programs.steam.dedicatedServer.openFirewall = true;
 }

hosts/trantor.nix

@@ -1,13 +0,0 @@
-{ ... }:
-
-{
-  networking.hostName = "trantor";
-
-  imports = [
-    ./modules/trantor
-    ./modules
-  ];
-
-  nix.nixPath = [ "nixos-config=${./trantor.nix}" ];
-}
-

hosts/trantor/boot.nix

@@ -0,0 +1,6 @@
+{
+  boot = {
+    initrd.systemd.enable = true;
+    loader.efi.efiSysMountPoint = "/boot/efi";
+  };
+}

hosts/trantor/disko.nix

@@ -0,0 +1,64 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.disko.nixosModules.default ];
+
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/disk/by-id/scsi-360b207ed25d84372a95d1ecf842f8e20";
+    content = {
+      type = "gpt";
+      partitions = {
+        ESP = {
+          priority = 1;
+          name = "ESP";
+          start = "1MiB";
+          end = "512MiB";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot/efi";
+            mountOptions = [
+              "noatime"
+              "fmask=0077"
+              "dmask=0077"
+            ];
+          };
+        };
+        root = {
+          priority = 2;
+          name = "root";
+          size = "100%";
+          content = {
+            type = "btrfs";
+            extraArgs = [ "-f" ];
+            subvolumes = {
+              "@root" = {
+                mountpoint = "/";
+                mountOptions = [
+                  "noatime"
+                  "compress=zstd"
+                ];
+              };
+              "@nix" = {
+                mountpoint = "/nix";
+                mountOptions = [
+                  "noatime"
+                  "compress=zstd"
+                ];
+              };
+              "@persistent" = {
+                mountpoint = "/persistent";
+                mountOptions = [
+                  "noatime"
+                  "compress=zstd"
+                ];
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

hosts/trantor/fail2ban.nix

@@ -0,0 +1,23 @@
+{ config, pkgs, ... }:
+
+{
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+    ignoreIP = [
+      "127.0.0.0/8"
+      "::1"
+      "10.0.0.0/8"
+      "172.16.0.0/12"
+      "192.168.0.0/16"
+      "100.64.0.0/10"
+    ];
+    bantime = "1h";
+    bantime-increment = {
+      enable = true;
+      multipliers = "1 2 4 8 16 32 64";
+      maxtime = "10000h";
+      overalljails = true;
+    };
+  };
+}

hosts/trantor/forgejo.nix

@@ -0,0 +1,72 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts;
+in
+
+{
+  services = {
+    forgejo = {
+      enable = true;
+      settings = {
+        session.COOKIE_SECURE = true;
+        server = {
+          PROTOCOL = "http+unix";
+          DOMAIN = "git.baduhai.dev";
+          ROOT_URL = "https://git.baduhai.dev";
+          OFFLINE_MODE = true; # disable use of CDNs
+          SSH_DOMAIN = "git.baduhai.dev";
+        };
+        log.LEVEL = "Warn";
+        mailer.ENABLED = false;
+        actions.ENABLED = false;
+        service.DISABLE_REGISTRATION = true;
+        oauth2_client = {
+          ENABLE_AUTO_REGISTRATION = true;
+          UPDATE_AVATAR = true;
+          ACCOUNT_LINKING = "login";
+          USERNAME = "preferred_username";
+        };
+      };
+    };
+    nginx.virtualHosts = mkNginxVHosts {
+      domains."git.baduhai.dev".locations."/".proxyPass =
+        "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
+    };
+    fail2ban.jails.forgejo = {
+      settings = {
+        enabled = true;
+        filter = "forgejo";
+        maxretry = 3;
+        findtime = "10m";
+        bantime = "1h";
+      };
+    };
+  };
+
+  environment = {
+    etc."fail2ban/filter.d/forgejo.conf".text = ''
+      [Definition]
+      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+      ignoreregex =
+      journalmatch = _SYSTEMD_UNIT=forgejo.service
+    '';
+
+    persistence.main.directories = [
+      {
+        directory = config.services.forgejo.stateDir;
+        inherit (config.services.forgejo) user group;
+        mode = "0700";
+      }
+    ];
+  };
+
+  # Disable PrivateMounts to allow LoadCredential to work with bind-mounted directories
+  systemd.services.forgejo.serviceConfig.PrivateMounts = lib.mkForce false;
+}

hosts/trantor/hardware-configuration.nix

@@ -0,0 +1,20 @@
+{
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "usbhid"
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
+}

hosts/trantor/nginx.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  inputs,
+  ...
+}:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+  inherit (utils) mkNginxVHosts services;
+
+  # Get all unique domains from shared services on trantor (host = "trantor")
+  localDomains = lib.unique (
+    map (s: s.domain) (lib.filter (s: s.host == "trantor") services)
+  );
+
+  # Generate ACME cert configs for all local domains
+  acmeCerts = lib.genAttrs localDomains (domain: {
+    group = "nginx";
+  });
+in
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "baduhai@proton.me";
+      dnsResolver = "1.1.1.1:53";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets.cloudflare.path;
+    };
+    certs = acmeCerts;
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts = {
+      "_" = {
+        default = true;
+        locations."/".return = "444";
+      };
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  age.secrets.cloudflare = {
+    file = ../../secrets/cloudflare.age;
+    owner = "nginx";
+    group = "nginx";
+  };
+}

hosts/trantor/openssh.nix

@@ -0,0 +1,23 @@
+{ ... }:
+
+{
+  services = {
+    openssh = {
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+      };
+    };
+    fail2ban.jails.sshd = {
+      settings = {
+        enabled = true;
+        port = "ssh";
+        filter = "sshd";
+        logpath = "/var/log/auth.log";
+        maxretry = 3;
+        findtime = "10m";
+        bantime = "1h";
+      };
+    };
+  };
+}

hosts/trantor/unbound.nix

@@ -0,0 +1,58 @@
+{ inputs, lib, ... }:
+
+let
+  utils = import ../../utils.nix { inherit inputs lib; };
+in
+
+{
+  services.unbound = {
+    enable = true;
+    enableRootTrustAnchor = true;
+    settings = {
+      server = {
+        interface = [
+          "0.0.0.0"
+          "::"
+        ];
+        access-control = [
+          "127.0.0.0/8 allow"
+          "100.64.0.0/10 allow" # Tailscale CGNAT range
+          "::1/128 allow"
+          "fd7a:115c:a1e0::/48 allow" # Tailscale IPv6
+        ];
+
+        num-threads = 2;
+        msg-cache-size = "50m";
+        rrset-cache-size = "100m";
+        cache-min-ttl = 300;
+        cache-max-ttl = 86400;
+        prefetch = true;
+        prefetch-key = true;
+        hide-identity = true;
+        hide-version = true;
+        so-rcvbuf = "1m";
+        so-sndbuf = "1m";
+
+        # Tailnet DNS records from shared services
+        local-zone = ''"baduhai.dev." transparent'';
+        local-data = map (e: ''"${e.domain}. IN A ${e.tailscaleIP}"'') utils.services;
+      };
+
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "1.1.1.1@853#cloudflare-dns.com"
+            "1.0.0.1@853#cloudflare-dns.com"
+          ];
+          forward-tls-upstream = true;
+        }
+      ];
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [ 53 ];
+    allowedUDPPorts = [ 53 ];
+  };
+}

modules/ephemeral.nix

@@ -0,0 +1,84 @@
+{ lib, config, ... }:
+
+let
+  cfg = config.ephemeral;
+in
+{
+  options.ephemeral = {
+    enable = lib.mkEnableOption "ephemeral root with automatic rollback";
+
+    rootDevice = lib.mkOption {
+      type = lib.types.str;
+      example = "/dev/mapper/cryptroot";
+      description = "Device path for the root btrfs filesystem";
+    };
+
+    rootSubvolume = lib.mkOption {
+      type = lib.types.str;
+      example = "@root";
+      description = "Name of the root btrfs subvolume";
+    };
+
+    oldRootRetentionDays = lib.mkOption {
+      type = lib.types.int;
+      default = 30;
+      description = "Number of days to keep old root snapshots before deletion";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    boot.initrd.systemd.services.recreate-root = {
+      description = "Rolling over and creating new filesystem root";
+      requires = [ "initrd-root-device.target" ];
+      after = [
+        "local-fs-pre.target"
+        "initrd-root-device.target"
+      ];
+      requiredBy = [ "initrd-root-fs.target" ];
+      before = [ "sysroot.mount" ];
+      unitConfig = {
+        AssertPathExists = "/etc/initrd-release";
+        DefaultDependencies = false;
+      };
+      serviceConfig = {
+        Type = "oneshot";
+        RemainAfterExit = true;
+      };
+      script = ''
+        set -euo pipefail
+
+        mkdir /btrfs_tmp
+        if ! mount ${cfg.rootDevice} /btrfs_tmp; then
+          echo "ERROR: Failed to mount ${cfg.rootDevice}"
+          exit 1
+        fi
+
+        if [[ -e /btrfs_tmp/${cfg.rootSubvolume} ]]; then
+          mkdir -p /btrfs_tmp/old_roots
+          timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/${cfg.rootSubvolume})" "+%Y-%m-%-d_%H:%M:%S")
+          mv /btrfs_tmp/${cfg.rootSubvolume} "/btrfs_tmp/old_roots/$timestamp"
+        fi
+
+        delete_subvolume_recursively() {
+          IFS=$'\n'
+          for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+             delete_subvolume_recursively "/btrfs_tmp/$i"
+          done
+          btrfs subvolume delete "$1"
+        }
+
+        for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +${toString cfg.oldRootRetentionDays}); do
+          delete_subvolume_recursively "$i"
+        done
+
+        if ! btrfs subvolume create /btrfs_tmp/${cfg.rootSubvolume}; then
+          echo "ERROR: Failed to create subvolume ${cfg.rootSubvolume}"
+          umount /btrfs_tmp
+          exit 1
+        fi
+
+        umount /btrfs_tmp
+      '';
+    };
+  };
+}

modules/qbittorrent.nix

@@ -1,123 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-with lib;
-let
-  cfg = config.services.qbittorrent;
-  configDir = "${cfg.dataDir}/.config";
-  openFilesLimit = 4096;
-in
-{
-  options.services.qbittorrent = {
-    enable = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Run qBittorrent headlessly as systemwide daemon
-      '';
-    };
-
-    dataDir = mkOption {
-      type = types.path;
-      default = "/var/lib/qbittorrent";
-      description = ''
-        The directory where qBittorrent will create files.
-      '';
-    };
-
-    user = mkOption {
-      type = types.str;
-      default = "qbittorrent";
-      description = ''
-        User account under which qBittorrent runs.
-      '';
-    };
-
-    group = mkOption {
-      type = types.str;
-      default = "qbittorrent";
-      description = ''
-        Group under which qBittorrent runs.
-      '';
-    };
-
-    port = mkOption {
-      type = types.port;
-      default = 8080;
-      description = ''
-        qBittorrent web UI port.
-      '';
-    };
-
-    openFirewall = mkOption {
-      type = types.bool;
-      default = false;
-      description = ''
-        Open services.qBittorrent.port to the outside network.
-      '';
-    };
-
-    openFilesLimit = mkOption {
-      default = openFilesLimit;
-      description = ''
-        Number of files to allow qBittorrent to open.
-      '';
-    };
-  };
-
-  config = mkIf cfg.enable {
-
-    environment.systemPackages = [ pkgs.qbittorrent ];
-
-    nixpkgs.overlays = [
-      (final: prev: {
-        qbittorrent = prev.qbittorrent.override { guiSupport = false; };
-      })
-    ];
-
-    networking.firewall = mkIf cfg.openFirewall {
-      allowedTCPPorts = [ cfg.port ];
-      allowedUDPPorts = [ cfg.port ];
-    };
-
-    systemd.services.qbittorrent = {
-      after = [ "network.target" ];
-      description = "qBittorrent Daemon";
-      wantedBy = [ "multi-user.target" ];
-      path = [ pkgs.qbittorrent ];
-      serviceConfig = {
-        ExecStart = ''
-          ${pkgs.qbittorrent}/bin/qbittorrent-nox \
-            --profile=${configDir} \
-            --webui-port=${toString cfg.port}
-        '';
-        # To prevent "Quit & shutdown daemon" from working; we want systemd to
-        # manage it!
-        Restart = "on-success";
-        User = cfg.user;
-        Group = cfg.group;
-        UMask = "0002";
-        LimitNOFILE = cfg.openFilesLimit;
-      };
-    };
-
-    users.users = mkIf (cfg.user == "qbittorrent") {
-      qbittorrent = {
-        inherit group;
-        home = cfg.dataDir;
-        createHome = true;
-        description = "qBittorrent Daemon user";
-      };
-    };
-
-    users.groups = mkIf (cfg.group == "qbittorrent") {
-      qbittorrent = {
-        gid = null;
-      };
-    };
-  };
-}

nixosConfigurations.nix

@@ -0,0 +1,55 @@
+{ inputs, ... }:
+let
+  lib = inputs.nixpkgs.lib;
+  utils = import ./utils.nix { inherit inputs lib; };
+  inherit (utils) mkHost;
+in
+{
+  flake.nixosConfigurations = {
+    rotterdam = mkHost {
+      hostname = "rotterdam";
+      tags = [
+        "desktop"
+        "ai"
+        "bluetooth"
+        "dev"
+        "ephemeral"
+        "fwupd"
+        "gaming"
+        "libvirtd"
+        "networkmanager"
+        "podman"
+      ];
+    };
+
+    io = mkHost {
+      hostname = "io";
+      tags = [
+        "desktop"
+        "ai"
+        "bluetooth"
+        "dev"
+        "ephemeral"
+        "networkmanager"
+        "podman"
+      ];
+    };
+
+    alexandria = mkHost {
+      hostname = "alexandria";
+      tags = [
+        # "server" TODO: uncomment when 25.11 is out.
+        "fwupd"
+      ];
+    };
+
+    trantor = mkHost {
+      hostname = "trantor";
+      system = "aarch64-linux";
+      tags = [
+        "server"
+        "ephemeral"
+      ];
+    };
+  };
+}

nixosModules.nix

@@ -0,0 +1,7 @@
+{ ... }:
+
+{
+  flake.nixosModules = {
+    ephemeral = import ./modules/ephemeral.nix;
+  };
+}

overlays.nix

@@ -0,0 +1,13 @@
+{ inputs, ... }:
+
+{
+  flake.overlays = {
+    default = final: prev: {
+      base16-schemes = inputs.self.packages.${final.system}.base16-schemes;
+      fastfetch = inputs.self.packages.${final.system}.fastfetch;
+      hm-cli = inputs.self.packages.${final.system}.hm-cli;
+      kwrite = inputs.self.packages.${final.system}.kwrite;
+      toggleaudiosink = inputs.self.packages.${final.system}.toggleaudiosink;
+    };
+  };
+}

packages.nix

@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  perSystem =
+    { pkgs, system, ... }:
+    {
+      packages = {
+        base16-schemes = pkgs.callPackage ./packages/base16-schemes.nix { };
+        fastfetch = pkgs.callPackage ./packages/fastfetch.nix { };
+        hm-cli = pkgs.callPackage ./packages/hm-cli.nix { };
+        kwrite = pkgs.callPackage ./packages/kwrite.nix { };
+        toggleaudiosink = pkgs.callPackage ./packages/toggleaudiosink.nix { };
+      };
+    };
+}

packages/base16-schemes.nix

@@ -0,0 +1,32 @@
+{
+  lib,
+  stdenv,
+  fetchFromGitHub,
+}:
+stdenv.mkDerivation (finalAttrs: {
+  pname = "base16-schemes";
+  version = "0-unstable-2025-06-04";
+
+  src = fetchFromGitHub {
+    owner = "tinted-theming";
+    repo = "schemes";
+    rev = "317a5e10c35825a6c905d912e480dfe8e71c7559";
+    hash = "sha256-d4km8W7w2zCUEmPAPUoLk1NlYrGODuVa3P7St+UrqkM=";
+  };
+
+  installPhase = ''
+    runHook preInstall
+
+    mkdir -p $out/share/themes/
+    install base16/*.yaml $out/share/themes/
+
+    runHook postInstall
+  '';
+
+  meta = {
+    description = "All the color schemes for use in base16 packages";
+    homepage = "https://github.com/tinted-theming/schemes";
+    maintainers = [ lib.maintainers.DamienCassou ];
+    license = lib.licenses.mit;
+  };
+})

packages/fastfetch.nix

@@ -0,0 +1,81 @@
+{
+  lib,
+  pkgs ? import <nixpkgs> { },
+}:
+
+let
+  fastfetch-logo = pkgs.fetchurl {
+    url = "https://discourse.nixos.org/uploads/default/original/3X/3/6/36954e6d6aa32c8b00f50ca43f142d898c1ff535.png";
+    hash = "sha256-aLHz8jSAFocrn+Pb4vRq0wtkYFJpBpZRevd+VoZC/PQ=";
+  };
+
+  fastfetch-config = pkgs.writeText "fastfetch-config.json" (
+    builtins.toJSON {
+      "$schema" = "https://github.com/fastfetch-cli/fastfetch/raw/dev/doc/json_schema.json";
+      modules = [
+        "title"
+        "separator"
+        {
+          type = "os";
+          keyWidth = 9;
+        }
+        {
+          type = "kernel";
+          keyWidth = 9;
+        }
+        {
+          type = "uptime";
+          keyWidth = 9;
+        }
+        {
+          type = "shell";
+          keyWidth = 9;
+        }
+        "break"
+        {
+          type = "cpu";
+          keyWidth = 11;
+        }
+        {
+          type = "memory";
+          keyWidth = 11;
+        }
+        {
+          type = "swap";
+          keyWidth = 11;
+        }
+        {
+          type = "disk";
+          folders = "/";
+          keyWidth = 11;
+        }
+        {
+          type = "command";
+          key = "Systemd";
+          keyWidth = 11;
+          text = "echo \"$(systemctl list-units --state=failed --no-legend | wc -l) failed units, $(systemctl list-jobs --no-legend | wc -l) queued jobs\"";
+        }
+        "break"
+        {
+          type = "command";
+          key = "Public IP";
+          keyWidth = 15;
+          text = "curl -s -4 ifconfig.me 2>/dev/null || echo 'N/A'";
+        }
+        {
+          type = "command";
+          key = "Tailscale IP";
+          keyWidth = 15;
+          text = "tailscale ip -4 2>/dev/null || echo 'N/A'";
+        }
+        {
+          type = "command";
+          key = "Local IP";
+          keyWidth = 15;
+          text = "ip -4 addr show scope global | grep inet | head -n1 | awk '{print $2}' | cut -d/ -f1";
+        }
+      ];
+    }
+  );
+in
+pkgs.writeShellScriptBin "fastfetch" ''exec ${lib.getExe pkgs.fastfetch} --config ${fastfetch-config} --logo-type kitty --logo ${fastfetch-logo} --logo-padding-right 1 --logo-width 36 "$@" ''

packages/hm-cli.nix

@@ -0,0 +1,105 @@
+{
+  pkgs ? import <nixpkgs> { },
+}:
+
+pkgs.writeShellScriptBin "hm" ''
+    set -e
+
+    HM="${pkgs.lib.getExe pkgs.home-manager}"
+    FLAKE_PATH="''${HM_PATH:-$HOME/.config/home-manager}"
+    FLAKE_OUTPUT="''${HM_USER:-$(whoami)@$(hostname)}"
+
+    show_usage() {
+      cat <<EOF
+  Usage: hm <command> [args]
+
+  Commands:
+    apply                       Switch to a new generation
+    generation list             List all generations
+    generation delete ID...     Delete specified generation(s)
+    generation rollback         Rollback to the previous generation
+    generation switch ID        Switch to the specified generation
+    generation cleanup          Delete all but the current generation
+
+  Environment Variables:
+    HM_PATH           Override default flake path (~/.config/home-manager)
+      Currently set to "''${HM_PATH:-<not set>}"
+    HM_USER           Override default user output ("$(whoami)@$(hostname)")
+      Currently set to "''${HM_USER:-<not set>}"
+  EOF
+    }
+
+    if [[ $# -eq 0 ]]; then
+      show_usage
+      exit 1
+    fi
+
+    case "$1" in
+      apply)
+        "$HM" switch --flake "$FLAKE_PATH#$FLAKE_OUTPUT" -b bkp
+        ;;
+      generation)
+        if [[ $# -lt 2 ]]; then
+          echo "Error: generation command requires a subcommand"
+          show_usage
+          exit 1
+        fi
+
+        case "$2" in
+          list)
+            "$HM" generations
+            ;;
+          delete)
+            if [[ $# -lt 3 ]]; then
+              echo "Error: delete requires at least one generation ID"
+              exit 1
+            fi
+            shift 2
+            "$HM" remove-generations "$@"
+            ;;
+          rollback)
+            PREV_GEN=$("$HM" generations | \
+              sed -n 's/^[[:space:]]*id \([0-9]\+\).*/\1/p' | \
+              head -n 2 | tail -n 1)
+            if [[ -z "$PREV_GEN" ]]; then
+              echo "Error: could not determine previous generation (possibly only one generation exists)"
+              exit 1
+            fi
+            "$HM" switch --flake "$FLAKE_PATH" --switch-generation "$PREV_GEN" -b bkp
+            ;;
+          switch)
+            if [[ $# -ne 3 ]]; then
+              echo "Error: switch requires exactly one generation ID"
+              exit 1
+            fi
+            "$HM" switch --flake "$FLAKE_PATH" --switch-generation "$3" -b bkp
+            ;;
+          cleanup)
+            CURRENT_GEN=$("$HM" generations | sed -n 's/^.*id \([0-9]\+\) .* (current)$/\1/p')
+            if [[ -z "$CURRENT_GEN" ]]; then
+              echo "Error: could not determine current generation"
+              exit 1
+            fi
+            OLD_GENS=$("$HM" generations | sed -n 's/^.*id \([0-9]\+\) .*/\1/p' | grep -v "^$CURRENT_GEN$")
+            if [[ -z "$OLD_GENS" ]]; then
+              echo "No old generations to delete"
+            else
+              echo "Deleting generations: $(echo $OLD_GENS | tr '\n' ' ')"
+              echo "$OLD_GENS" | xargs "$HM" remove-generations
+              echo "Cleanup complete. Current generation $CURRENT_GEN preserved."
+            fi
+            ;;
+          *)
+            echo "Error: unknown generation subcommand '$2'"
+            show_usage
+            exit 1
+            ;;
+        esac
+        ;;
+      *)
+        echo "Error: unknown command '$1'"
+        show_usage
+        exit 1
+        ;;
+    esac
+''

packages/kwrite.nix

@@ -0,0 +1,15 @@
+{ pkgs }:
+
+pkgs.symlinkJoin {
+  name = "kwrite";
+  paths = [ pkgs.kdePackages.kate ];
+  postBuild = ''
+    rm -rf $out/bin/kate \
+           $out/bin/.kate-wrapped \
+           $out/share/applications/org.kde.kate.desktop \
+           $out/share/man \
+           $out/share/icons/hicolor/*/apps/kate.png \
+           $out/share/icons/hicolor/scalable/apps/kate.svg \
+           $out/share/appdata/org.kde.kate.appdata.xml
+  '';
+}