🔧 [pi4] Temporary disable Actual budget

➕ [pi4] ADd roomba dependency to home assistant️
🔒 [pi4] Do not require password for sudo️
2025-08-12 16:40:05 +00:00 · 2025-08-12 16:40:04 +00:00 · 2025-08-12 16:40:04 +00:00 · 2025-08-11 21:10:50 +02:00 · 2025-08-11 20:48:52 +02:00 · 2025-08-10 16:59:29 +02:00
161 changed files with 4783 additions and 380 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1 @@
+shared/secrets/weather-api-key filter=git-crypt diff=git-crypt
--- a/.gitea/assets/desktop.png
+++ b/.gitea/assets/desktop.png
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,5 @@
+# Symlink create by `nix build`
+result

+# IDEs
+.idea
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,11 @@
+keys:
+  - &thinkpad age1j66v6z6hlsgqjfv5fz7fldm5q9jay4j5v5du6ymfda6hv40nsqesg89g7p
+  - &desktop age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w
+  - &pi4 age1xlnprpvshv93eerthxzg6cahklsfc4efh8dd6u8dte9u6cl0u5qsz48qlt
+creation_rules:
+  - path_regex: shared/secrets/secrets.yaml$
+    key_groups:
+      - age:
+          - *thinkpad
+          - *desktop
+          - *pi4
--- a/README.md
+++ b/README.md
@ -1,4 +1,65 @@
 # NixOS Configurations

-WIP!
+My NixOS configurations with dotfiles for my systems.

+![Screenshot of desktop](./.gitea/assets/desktop.png)
+
+## Uses
+
+|        |            |
+| ------ | ---------- |
+| WM     | Hyprland   |
+| Shell  | Fish       |
+| Prompt | Starship   |
+| Theme  | Catppuccin |
+| GPU    | Nvidia     |
+| Panel  | Hyprpanel  |
+| Runner | Rofi       |
+| Fetch  | Fastfetch  |
+
+## Commands
+
+First time run, will create a shell with the minimum dependencies in order to download the rest
+
+```Shell
+nix develop . --experimental-features 'nix-command flakes'
+just switch-now
+```
+
+Scripts below will not run unless the necessary packages have been added to the path, either in a shell or by running nixos-rebuild
+
+Format all .nix files
+
+```Shell
+  just fmt
+```
+
+Rebuild and test Nix configuration
+
+- Will add all new files to git and format all nix-files
+
+```Shell
+  just test
+```
+
+Rebuild and switch Nix configuration
+
+- Will add all new files to git and format all nix-files
+
+```Shell
+  just switch
+```
+
+Update and switch
+
+- Will update the flakes and nix-channel, then switch if there are no errors
+
+```Shell
+  just update-all
+```
+
+To update a single flake and rebuild
+
+```Shell
+  just update zen-browser
+```
--- a/biome.jsonc
+++ b/biome.jsonc
@ -0,0 +1,12 @@
+{
+  "$schema": "https://biomejs.dev/schemas/2.0.5/schema.json",
+
+  "formatter": {
+    "enabled": true,
+    "indentStyle": "space"
+  },
+
+  "linter": {
+    "enabled": false
+  }
+}
--- a/configuration.nix
+++ b/configuration.nix
@ -1,291 +0,0 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
-
-{ config, pkgs, ... }:
-
-{
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-    ];
-
-  # Bootloader.
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "nixos"; # Define your hostname.
-  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-
-  # Configure network proxy if necessary
-  # networking.proxy.default = "http://user:password@proxy:port/";
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
-
-  # Enable networking
-  networking.networkmanager.enable = true;
-
-  # Set your time zone.
-  time.timeZone = "Europe/Oslo";
-
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_GB.UTF-8";
-
-  i18n.extraLocaleSettings = {
-    LC_ADDRESS = "nb_NO.UTF-8";
-    LC_IDENTIFICATION = "nb_NO.UTF-8";
-    LC_MEASUREMENT = "nb_NO.UTF-8";
-    LC_MONETARY = "nb_NO.UTF-8";
-    LC_NAME = "nb_NO.UTF-8";
-    LC_NUMERIC = "nb_NO.UTF-8";
-    LC_PAPER = "nb_NO.UTF-8";
-    LC_TELEPHONE = "nb_NO.UTF-8";
-    LC_TIME = "nb_NO.UTF-8";
-  };
-
-  # Configure console keymap
-  console.keyMap = "uk";
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  users.users.martin = {
-    isNormalUser = true;
-    description = "martin";
-    extraGroups = [ "networkmanager" "wheel" ];
-    packages = with pkgs; [];
-  };
-
-  # Allow unfree packages
-  nixpkgs.config.allowUnfree = true;
-
-  environment.variables = {  
-    EDITOR = "nvim";
-  };
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-    gnupg
-    firefox
-    wget
-    git
-    kitty
-    swaynotificationcenter
-    pipewire
-    wireplumber
-    xdg-utils
-    xdg-desktop-portal-gtk
-    xdg-desktop-portal-hyprland
-    hyprpolkitagent
-    waybar
-    rofi-wayland
-    kdePackages.dolphin
-    kdePackages.qtwayland
-    kdePackages.qtsvg
-    kdePackages.qt6ct
-    spotify
-    protonmail-desktop
-    adw-gtk3
-    glib
-    adwaita-icon-theme
-    jetbrains.rust-rover
-    jetbrains.webstorm
-    vscodium
-    stremio
-    docker
-    rustup
-    nodejs
-    pnpm
-    fastfetch
-    freetube
-    nixd
-  ];
-
-  home-manager = {
-    backupFileExtension = "backup";
-
-    users.martin = {
-
-      gtk = {
-        enable = true;
-        theme = {
-          name = "Adwaita-dark";
-          package = pkgs.gnome-themes-extra;
-        };
-      };
-
-      home = {
-        username = "martin";
-        homeDirectory = "/home/martin";
-
-        sessionVariables = {
-          EDITOR = "nvim";
-        };
-
-        stateVersion = "24.11";
-      };
-
-      programs = {
-	git = {
-	  enable = true;
-	  userName = "Martin Berg Alstad";
-	  userEmail = "git@martials.no";
-	};
-
-	kitty.enable = true;
-        
-	neovim = {
-          enable = true;
-          vimAlias = true;
-        };
-      };
-    };
-    #wayland.windowManager.hyprland.enable = true;
-  };
-
-  nix = {
-    settings.experimental-features = [ "nix-command" "flakes" ];
-  };
-
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
-
-  programs = {
-    bash = {
-      # Starts the OS using Bash, then starts fish if it's not running
-      interactiveShellInit = ''
-        if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
-        then
-          shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
-          exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
-        fi
-      '';
-    };
-
-    dconf = {
-      enable = true;
-    };
-
-    fish.enable = true;
-
-    gnupg.agent.enable = true;
-
-    hyprland = {
-      enable = true;
-      xwayland.enable = true;
-    };
- 
-    kdeconnect = {
-      enable = true;
-    };
-
-    # Required for nvim with flakes
-    # nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
- 
-    steam = {
-      enable = true;
-      remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
-      dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
-      localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers
-    };
-  };
-
-  # List services that you want to enable:
-
-  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
-
-  security.rtkit.enable = true;
-
-  services = {
-    displayManager.sddm = {
-      enable = true;
-      wayland.enable = true;
-    };
-
-    flatpak.enable = true;
-
-    gnome = {
-      gnome-keyring.enable = true;
-    };
-
-    pcscd.enable = true;
-
-    pipewire = {
-      enable = true;
-      alsa = {
-        enable = true;
-        support32Bit = true;
-      };
-      pulse.enable = true;
-    };
-
-    tailscale = {
-      enable = true;
-    };
-
-    xserver = {
-      enable = true;
-      # Load Nvidia driver for Xorg and Wayland
-      videoDrivers = ["nvidia"];
-      # Configure keymap in X11
-      xkb = {
-        layout = "gb";
-        variant = "";
-      };
-    };
-  };
-
-  virtualisation.docker = {
-    enable = true;
-    storageDriver = "btrfs";
-    rootless = {
-      enable = true;
-      setSocketVariable = true;
-    };
-  };
-
-  qt = {
-    enable = true;
-    #platformTheme = "gnome";
-    #style = "adwaita-dark";
-  };
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  # Enable OpenGL
-  hardware.graphics = {
-    enable = true;
-  };
-
-  hardware.nvidia = {
-    # Required
-    modesetting.enable = true;
-
-    # Use closed-source drivers
-    open = false;
-
-    # Enable the Nvidia settings menu
-    nvidiaSettings = true;
-  };
-
-  xdg.mime.defaultApplications = {
-    "text/html" = "io.github.zen_browser.zen.desktop";
-    "x-scheme-handler/http" = "io.github.zen_browser.zen.desktop";
-    "x-scheme-handler/https" = "io.github.zen_browser.zen.desktop";
-    "x-scheme-handler/about" = "io.github.zen_browser.zen.desktop";
-    "x-scheme-handler/unknown" = "io.github.zen_browser.zen.desktop";
-  };
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It‘s perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "24.11"; # Did you read the comment?
-
-}
--- a/flake.lock
+++ b/flake.lock
@ -1,5 +1,103 @@
 {
  "nodes": {
+    "blobs": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
+      }
+    },
+    "catppuccin": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1754727511,
+        "narHash": "sha256-iRqRCeeXEQ5HSB6zI6Wja7ZfY0PPRx5yelgjtoX2iMo=",
+        "owner": "catppuccin",
+        "repo": "nix",
+        "rev": "7b55c4947c02f79dfd249432ccb0ada2726c29e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "catppuccin",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": [
+          "simple-nixos-mailserver",
+          "flake-compat"
+        ],
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "simple-nixos-mailserver",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1742649964,
+        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "simple-nixos-mailserver",
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -7,11 +105,33 @@
        ]
      },
      "locked": {
-        "lastModified": 1735053786,
-        "narHash": "sha256-Gm+0DcbUS338vvkwyYWms5jsWlx8z8MeQBzcnIDuIkw=",
+        "lastModified": 1753592768,
+        "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "35b98d20ca8f4ca1f6a2c30b8a2c8bb305a36d84",
+        "rev": "fc3add429f21450359369af74c2375cb34a2d204",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-25.05",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "zen-browser",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1752603129,
+        "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b",
        "type": "github"
      },
      "original": {
@ -22,11 +142,107 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1734649271,
-        "narHash": "sha256-4EVBRhOjMDuGtMaofAIqzJbg4Ql7Ai0PSeuVZTHjyKQ=",
+        "lastModified": 1753694789,
+        "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-25_05": {
+      "locked": {
+        "lastModified": 1747610100,
+        "narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ca49c4304acf0973078db0a9d200fd2bae75676d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1754689972,
+        "narHash": "sha256-eogqv6FqZXHgqrbZzHnq43GalnRbLTkbBbFtEfm1RSc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fc756aa6f5d3e2e5666efcf865d190701fef150a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1754498491,
+        "narHash": "sha256-erbiH2agUTD0Z30xcVSFcDHzkRvkRXOQ3lb887bcVrs=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c2ae88e026f9525daf89587f3cbee584b92b6134",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1754689972,
+        "narHash": "sha256-eogqv6FqZXHgqrbZzHnq43GalnRbLTkbBbFtEfm1RSc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fc756aa6f5d3e2e5666efcf865d190701fef150a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1747179050,
+        "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_4": {
+      "locked": {
+        "lastModified": 1752480373,
+        "narHash": "sha256-JHQbm+OcGp32wAsXTE/FLYGNpb+4GLi5oTvCxwSoBOA=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "d70bd19e0a38ad4790d3913bf08fcbfc9eeca507",
+        "rev": "62e0f05ede1da0d54515d4ea8ce9c733f12d9f08",
        "type": "github"
      },
      "original": {
@ -38,8 +254,113 @@
    },
    "root": {
      "inputs": {
+        "catppuccin": "catppuccin",
        "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-stable": "nixpkgs-stable",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "simple-nixos-mailserver": "simple-nixos-mailserver",
+        "sops-nix": "sops-nix",
+        "spicetify-nix": "spicetify-nix",
+        "zen-browser": "zen-browser"
+      }
+    },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat",
+        "git-hooks": "git-hooks",
+        "nixpkgs": "nixpkgs_3",
+        "nixpkgs-25_05": "nixpkgs-25_05"
+      },
+      "locked": {
+        "lastModified": 1747965231,
+        "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "53007af63fade28853408370c4c600a63dd97f41",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-25.05",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1754328224,
+        "narHash": "sha256-glPK8DF329/dXtosV7YSzRlF4n35WDjaVwdOMEoEXHA=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "49021900e69812ba7ddb9e40f9170218a7eca9f4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
+    "spicetify-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs-unstable"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1754196919,
+        "narHash": "sha256-0zATw65mNql9H8e7HWVBPpijMSbDVeK7JNivRBcUScM=",
+        "owner": "Gerg-L",
+        "repo": "spicetify-nix",
+        "rev": "24fcb94f7792ab755b933e1c9516996530ac1fbd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Gerg-L",
+        "repo": "spicetify-nix",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "zen-browser": {
+      "inputs": {
+        "home-manager": "home-manager_2",
+        "nixpkgs": "nixpkgs_4"
+      },
+      "locked": {
+        "lastModified": 1754713785,
+        "narHash": "sha256-/XEjh0nXEzHX5H84AAEP1vJopIGf0Z4sbfqKklwQaHk=",
+        "owner": "0xc000022070",
+        "repo": "zen-browser-flake",
+        "rev": "7564df093b5d6aac0be47a0cd6336e5a36ece598",
+        "type": "github"
+      },
+      "original": {
+        "owner": "0xc000022070",
+        "repo": "zen-browser-flake",
+        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -1,32 +1,202 @@
 {
-  description = "NixOS configuration";
+  description = "Martin's NixOS configuration - Based on EmergentMind/nix-config";

  inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    #
+    # ========= Official NixOS and HM Package Sources =========
+    #
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
+    # The next two are for pinning to stable vs unstable regardless of what the above is set to
+    # This is particularly useful when an upcoming stable release is in beta because you can effectively
+    # keep 'nixpkgs-stable' set to stable for critical packages while setting 'nixpkgs' to the beta branch to
+    # get a jump start on deprecation changes.
+    # See also 'stable-packages' and 'unstable-packages' overlays at 'overlays/default.nix"
+    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05";
+    nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
+
    home-manager = {
-      url = "github:nix-community/home-manager";
+      url = "github:nix-community/home-manager/release-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+
+    #
+    # ========= Utilities =========
+    #
+    # Secrets management
+    sops-nix = {
+      url = "github:mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    # Catppuccin theming
+    catppuccin.url = "github:catppuccin/nix";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
+    # Spotify
+    spicetify-nix = {
+      url = "github:Gerg-L/spicetify-nix";
+      inputs.nixpkgs.follows = "nixpkgs-unstable";
+    };
+    # Browser
+    zen-browser.url = "github:0xc000022070/zen-browser-flake";
  };

-  outputs = inputs@{ nixpkgs, home-manager, ... }:
-  let
-    system = "x86_64-linux";
-  in
-  {
-    nixosConfigurations = {
-      nixos = nixpkgs.lib.nixosSystem {
-        system = system;
-        modules = [
-	  ./configuration.nix
-	  home-manager.nixosModules.home-manager
-	  {
-            home-manager.useGlobalPkgs = true;
-            home-manager.useUserPackages = true;
-            home-manager.users.martin = import ./home.nix;
-	  }
-	];
+  outputs =
+    {
+      self,
+      nixpkgs,
+      home-manager,
+      ...
+    }@inputs:
+    let
+      inherit (self) outputs;
+      common = import ./shared/common.nix;
+      theme = import ./shared/theme.nix;
+
+      #
+      # ========= Architectures =========
+      #
+      forAllSystems = nixpkgs.lib.genAttrs [
+        "x86_64-linux"
+        "aarch64-linux"
+      ];
+
+      # ========== Extend lib with lib.custom ==========
+      # NOTE: This approach allows lib.custom to propagate into hm
+      # see: https://github.com/nix-community/home-manager/pull/3454
+      customLib = (_self: _super: { custom = import ./lib { inherit (nixpkgs) lib; }; });
+      lib = nixpkgs.lib.extend customLib;
+      libHm = home-manager.lib.extend customLib;
+
+      systems = builtins.map (config: defaultAttrs // config) [
+        {
+          hostName = "desktop";
+          nvidia.enable = true;
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSzXyTuQyTrWsfORQbvgrqt/33+hfSUDXeMg6D1T2wz";
+        }
+        {
+          hostName = "thinkpad";
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNlHKE/BD8kKfhJD7GBk1A3whZf3gTjk9VEgGAj3qsH";
+        }
+        {
+          hostName = "pi4";
+          system = "aarch64-linux";
+          wayland.enable = false;
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJE9m7YiITe1sDqSZ7Pa8luIw3WToLsypixZEqE4wCQE";
+          address.private = common.localIpAddr 188;
+        }
+        {
+          hostName = "homelab";
+          wayland.enable = false;
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARDv5nRlfPDXdV+Db4FaqeSJZ3/3MO0frYGzuVeqYAl";
+          address.private = common.localIpAddr 231;
+          address.tailnet = common.tailnetAddr "admin";
+        }
+      ];
+
+      defaultAttrs = {
+        hostName = builtins.abort "hostName is required";
+        system = "x86_64-linux";
+        username = common.username;
+        version = common.system.version;
+        wayland.enable = true;
+        nvidia.enable = false;
      };
+
+      knownSystems = [
+        {
+          # Samsung S23 FE
+          hostName = "localhost-y4maoyqm";
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII7SSjiqnjif1Kko60iXVTKJ7a1/lRlR8TFNtoclNcnQ";
+        }
+        {
+          # OnePlus 8
+          hostName = "localhost-4izgka9k";
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALtulVgLrUEpKnpfPFQTHjaEXTxs2Q818NC18eLx0bj";
+        }
+      ];
+
+    in
+    {
+      #
+      # ========= Overlays =========
+      #
+      # Custom modifications/overrides to upstream packages
+      overlays = import ./overlays.nix { inherit inputs; };
+
+      #
+      # ========= Host Configurations =========
+      #
+      nixosConfigurations = builtins.listToAttrs (
+        builtins.map (
+          {
+            hostName,
+            system,
+            username,
+            ...
+          }@systemConfig:
+
+          {
+            name = hostName;
+            value = nixpkgs.lib.nixosSystem {
+              inherit system;
+              specialArgs = {
+                inherit
+                  outputs
+                  inputs
+                  common
+                  theme
+                  lib
+                  systemConfig
+                  systems
+                  knownSystems
+                  ;
+                isDarwin = false;
+              };
+              modules = [
+                ./hosts/${hostName}
+                home-manager.nixosModules.home-manager
+                {
+                  home-manager = {
+                    # Backups conflicting files in case of error
+                    backupFileExtension = "bkp";
+                    useGlobalPkgs = true;
+                    useUserPackages = true;
+                    extraSpecialArgs = {
+                      inherit
+                        inputs
+                        common
+                        theme
+                        libHm
+                        systemConfig
+                        systems
+                        ;
+                    };
+                    users.${username} = import ./hosts/${hostName}/home-manager;
+                  };
+                }
+                {
+                  nixpkgs.overlays = [ ];
+                }
+              ];
+            };
+          }
+        ) systems
+      );
+
+      #
+      # ========= Formatting =========
+      #
+      # Nix formatter available through 'nix fmt' https://github.com/NixOS/nixfmt
+      formatter = forAllSystems (system: nixpkgs.legacyPackages.${system}.nixfmt-rfc-style);
+
+      #
+      # ========= DevShell =========
+      #
+      # Custom shell for bootstrapping on new hosts, modifying nix-config, and secrets management
+      devShells = forAllSystems (
+        system:
+        import ./shell.nix {
+          pkgs = nixpkgs.legacyPackages.${system};
+        }
+      );
    };
-  };
 }
--- a/home.nix
+++ b/home.nix
@ -1,41 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  # Home Manager needs a bit of information about you and the
-  # paths it should manage.
-  home = {
-    username = "martin";
-    homeDirectory = "/home/martin";
-    
-    # You can update Home Manager without changing this value. See
-    # the Home Manager release notes for a list of state version
-    # changes in each release.
-    stateVersion = "24.11";
-  };
-
-  # Let Home Manager install and manage itself.
-  programs = {
-    git = {
-      enable = true;
-      userName = "Martin Berg Alstad";
-      userEmail = "git@martials.no";
-    };
-
-    home-manager.enable = true;
-
-    kitty.enable = true;
-
-    neovim = {
-      enable = true;
-      vimAlias = true;
-      viAlias = true;
-    };
-  };
-
-  services = {
-    gpg-agent = {
-      enable = true;
-      pinentryPackage = pkgs.pinentry-curses;
-    };
-  };
-}
--- a/hosts/desktop/bluetooth.nix
+++ b/hosts/desktop/bluetooth.nix
@ -0,0 +1,18 @@
+{ pkgs, ... }:
+
+{
+  hardware.bluetooth = {
+    enable = true;
+    input = {
+      # Required to get PS3 controllers working
+      General = {
+        ClassicBondedOnly = false;
+        UserspaceHID = false;
+      };
+    };
+    powerOnBoot = true;
+    package = pkgs.unstable.bluez;
+  };
+
+  services.blueman.enable = true;
+}
--- a/hosts/desktop/common.nix
+++ b/hosts/desktop/common.nix
@ -0,0 +1,4 @@
+{
+  monitor1 = "DP-1";
+  monitor2 = "DP-3";
+}
--- a/hosts/desktop/default.nix
+++ b/hosts/desktop/default.nix
@ -0,0 +1,15 @@
+{
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    (lib.custom.relativeToDesktop "modules")
+    ./bluetooth.nix
+    ./hardware-configuration.nix
+  ];
+
+  boot.kernelPackages = pkgs.linuxPackages_6_12;
+}
--- a/hosts/desktop/hardware-configuration.nix
+++ b/hosts/desktop/hardware-configuration.nix
@ -1,29 +1,42 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:

 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];

-  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "nvme"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+    "sr_mod"
+  ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];

-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/5e3f0f97-4bb4-4a53-ace2-9ed19ff9e8ea";
-      fsType = "btrfs";
-      options = [ "subvol=@" ];
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/5e3f0f97-4bb4-4a53-ace2-9ed19ff9e8ea";
+    fsType = "btrfs";
+    options = [ "subvol=@" ];
+  };

-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/D188-48A9";
-      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/D188-48A9";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };

  swapDevices = [ ];

--- a/hosts/desktop/home-manager/default.nix
+++ b/hosts/desktop/home-manager/default.nix
@ -0,0 +1,14 @@
+{
+  lib,
+  ...
+}:
+
+{
+  imports = [
+    (lib.custom.relativeToDesktop "home-manager")
+    ./hyprpaper.nix
+    ./settings.nix
+  ];
+
+  programs.git.signing.key = "706F53DD087A91DE";
+}
--- a/hosts/desktop/home-manager/hyprpaper.nix
+++ b/hosts/desktop/home-manager/hyprpaper.nix
@ -0,0 +1,29 @@
+# Wallpapers
+{
+  lib,
+  theme,
+  ...
+}:
+
+{
+  services.hyprpaper.settings =
+    let
+      wallpaper1 = builtins.toString theme.wallpaper.monitor1;
+      wallpaper2 = builtins.toString theme.wallpaper.monitor2;
+    in
+    {
+      preload = lib.mkForce [
+        wallpaper1
+        wallpaper2
+      ];
+
+      wallpaper =
+        let
+          common = import ../common.nix;
+        in
+        lib.mkForce [
+          "${common.monitor1},${wallpaper1}"
+          "${common.monitor2},${wallpaper2}"
+        ];
+    };
+}
--- a/hosts/desktop/home-manager/settings.nix
+++ b/hosts/desktop/home-manager/settings.nix
@ -0,0 +1,12 @@
+{ lib, ... }:
+
+{
+  wayland.windowManager.hyprland.settings.monitor =
+    let
+      common = import ../common.nix;
+    in
+    lib.mkForce [
+      "${common.monitor1}, 3440x1440@175, 0x0, 1"
+      "${common.monitor2}, 3840x2160@60, 3440x0, 1.5, transform, 1"
+    ];
+}
--- a/hosts/desktop/home-manager/zen/chrome/userChrome.css
+++ b/hosts/desktop/home-manager/zen/chrome/userChrome.css
@ -0,0 +1,113 @@
+/* Catppuccin Mocha Blue userChrome.css*/
+
+@media (prefers-color-scheme: dark) {
+  :root {
+    --zen-colors-primary: #313244 !important;
+    --zen-primary-color: #89b4fa !important;
+    --zen-colors-secondary: #313244 !important;
+    --zen-colors-tertiary: #181825 !important;
+    --zen-colors-border: #89b4fa !important;
+    --toolbarbutton-icon-fill: #89b4fa !important;
+    --lwt-text-color: #cdd6f4 !important;
+    --toolbar-field-color: #cdd6f4 !important;
+    --tab-selected-textcolor: rgb(171, 197, 247) !important;
+    --toolbar-field-focus-color: #cdd6f4 !important;
+    --toolbar-color: #cdd6f4 !important;
+    --newtab-text-primary-color: #cdd6f4 !important;
+    --arrowpanel-color: #cdd6f4 !important;
+    --arrowpanel-background: #1e1e2e !important;
+    --sidebar-text-color: #cdd6f4 !important;
+    --lwt-sidebar-text-color: #cdd6f4 !important;
+    --lwt-sidebar-background-color: #11111b !important;
+    --toolbar-bgcolor: #313244 !important;
+    --newtab-background-color: #1e1e2e !important;
+    --zen-themed-toolbar-bg: #181825 !important;
+    --zen-main-browser-background: #181825 !important;
+  }
+
+  #permissions-granted-icon {
+    color: #181825 !important;
+  }
+
+  .sidebar-placesTree {
+    background-color: #1e1e2e !important;
+  }
+
+  #zen-workspaces-button {
+    background-color: #1e1e2e !important;
+  }
+
+  #TabsToolbar {
+    background-color: #181825 !important;
+  }
+
+  #urlbar-background {
+    background-color: #1e1e2e !important;
+  }
+
+  .content-shortcuts {
+    background-color: #1e1e2e !important;
+    border-color: #89b4fa !important;
+  }
+
+  .urlbarView-url {
+    color: #89b4fa !important;
+  }
+
+  #zenEditBookmarkPanelFaviconContainer {
+    background: #11111b !important;
+  }
+
+  toolbar .toolbarbutton-1 {
+    &:not([disabled]) {
+      &:is([open], [checked])
+        > :is(
+          .toolbarbutton-icon,
+          .toolbarbutton-text,
+          .toolbarbutton-badge-stack
+        ) {
+        fill: #11111b;
+      }
+    }
+  }
+
+  .identity-color-blue {
+    --identity-tab-color: #89b4fa !important;
+    --identity-icon-color: #89b4fa !important;
+  }
+
+  .identity-color-turquoise {
+    --identity-tab-color: #94e2d5 !important;
+    --identity-icon-color: #94e2d5 !important;
+  }
+
+  .identity-color-green {
+    --identity-tab-color: #a6e3a1 !important;
+    --identity-icon-color: #a6e3a1 !important;
+  }
+
+  .identity-color-yellow {
+    --identity-tab-color: #f9e2af !important;
+    --identity-icon-color: #f9e2af !important;
+  }
+
+  .identity-color-orange {
+    --identity-tab-color: #fab387 !important;
+    --identity-icon-color: #fab387 !important;
+  }
+
+  .identity-color-red {
+    --identity-tab-color: #f38ba8 !important;
+    --identity-icon-color: #f38ba8 !important;
+  }
+
+  .identity-color-pink {
+    --identity-tab-color: #f5c2e7 !important;
+    --identity-icon-color: #f5c2e7 !important;
+  }
+
+  .identity-color-purple {
+    --identity-tab-color: #cba6f7 !important;
+    --identity-icon-color: #cba6f7 !important;
+  }
+}
--- a/hosts/desktop/home-manager/zen/chrome/userContent.css
+++ b/hosts/desktop/home-manager/zen/chrome/userContent.css
@ -0,0 +1,157 @@
+/* Catppuccin Mocha Blue userContent.css*/
+
+@media (prefers-color-scheme: dark) {
+  /* Common variables affecting all pages */
+  @-moz-document url-prefix("about:") {
+    :root {
+      --in-content-page-color: #cdd6f4 !important;
+      --color-accent-primary: #89b4fa !important;
+      --color-accent-primary-hover: rgb(163, 197, 251) !important;
+      --color-accent-primary-active: rgb(138, 153, 250) !important;
+      background-color: #1e1e2e !important;
+      --in-content-page-background: #1e1e2e !important;
+    }
+  }
+
+  /* Variables and styles specific to about:newtab and about:home */
+  @-moz-document url("about:newtab"), url("about:home") {
+    :root {
+      --newtab-background-color: #1e1e2e !important;
+      --newtab-background-color-secondary: #313244 !important;
+      --newtab-element-hover-color: #313244 !important;
+      --newtab-text-primary-color: #cdd6f4 !important;
+      --newtab-wordmark-color: #cdd6f4 !important;
+      --newtab-primary-action-background: #89b4fa !important;
+    }
+
+    .icon {
+      color: #89b4fa !important;
+    }
+
+    .search-wrapper .logo-and-wordmark .logo {
+      background: url("zen-logo-mocha.svg"),
+        url("https://raw.githubusercontent.com/IAmJafeth/zen-browser/main/themes/Mocha/Blue/zen-logo-mocha.svg")
+        no-repeat center !important;
+      display: inline-block !important;
+      height: 82px !important;
+      width: 82px !important;
+      background-size: 82px !important;
+    }
+
+    @media (max-width: 609px) {
+      .search-wrapper .logo-and-wordmark .logo {
+        background-size: 64px !important;
+        height: 64px !important;
+        width: 64px !important;
+      }
+    }
+
+    .card-outer:is(:hover, :focus, .active):not(.placeholder) .card-title {
+      color: #89b4fa !important;
+    }
+
+    .top-site-outer .search-topsite {
+      background-color: #89b4fa !important;
+    }
+
+    .compact-cards .card-outer .card-context .card-context-icon.icon-download {
+      fill: #a6e3a1 !important;
+    }
+  }
+
+  /* Variables and styles specific to about:preferences */
+  @-moz-document url-prefix("about:preferences") {
+    :root {
+      --zen-colors-tertiary: #181825 !important;
+      --in-content-text-color: #cdd6f4 !important;
+      --link-color: #89b4fa !important;
+      --link-color-hover: rgb(163, 197, 251) !important;
+      --zen-colors-primary: #313244 !important;
+      --in-content-box-background: #313244 !important;
+      --zen-primary-color: #89b4fa !important;
+    }
+
+    groupbox,
+    moz-card {
+      background: #1e1e2e !important;
+    }
+
+    button,
+    groupbox menulist {
+      background: #313244 !important;
+      color: #cdd6f4 !important;
+    }
+
+    .main-content {
+      background-color: #11111b !important;
+    }
+
+    .identity-color-blue {
+      --identity-tab-color: #8aadf4 !important;
+      --identity-icon-color: #8aadf4 !important;
+    }
+
+    .identity-color-turquoise {
+      --identity-tab-color: #8bd5ca !important;
+      --identity-icon-color: #8bd5ca !important;
+    }
+
+    .identity-color-green {
+      --identity-tab-color: #a6da95 !important;
+      --identity-icon-color: #a6da95 !important;
+    }
+
+    .identity-color-yellow {
+      --identity-tab-color: #eed49f !important;
+      --identity-icon-color: #eed49f !important;
+    }
+
+    .identity-color-orange {
+      --identity-tab-color: #f5a97f !important;
+      --identity-icon-color: #f5a97f !important;
+    }
+
+    .identity-color-red {
+      --identity-tab-color: #ed8796 !important;
+      --identity-icon-color: #ed8796 !important;
+    }
+
+    .identity-color-pink {
+      --identity-tab-color: #f5bde6 !important;
+      --identity-icon-color: #f5bde6 !important;
+    }
+
+    .identity-color-purple {
+      --identity-tab-color: #c6a0f6 !important;
+      --identity-icon-color: #c6a0f6 !important;
+    }
+  }
+
+  /* Variables and styles specific to about:addons */
+  @-moz-document url-prefix("about:addons") {
+    :root {
+      --zen-dark-color-mix-base: #181825 !important;
+      --background-color-box: #1e1e2e !important;
+    }
+  }
+
+  /* Variables and styles specific to about:protections */
+  @-moz-document url-prefix("about:protections") {
+    :root {
+      --zen-primary-color: #1e1e2e !important;
+      --social-color: #cba6f7 !important;
+      --coockie-color: #89dceb !important;
+      --fingerprinter-color: #f9e2af !important;
+      --cryptominer-color: #b4befe !important;
+      --tracker-color: #a6e3a1 !important;
+      --in-content-primary-button-background-hover: rgb(81, 83, 105) !important;
+      --in-content-primary-button-text-color-hover: #cdd6f4 !important;
+      --in-content-primary-button-background: #45475a !important;
+      --in-content-primary-button-text-color: #cdd6f4 !important;
+    }
+
+    .card {
+      background-color: #313244 !important;
+    }
+  }
+}
--- a/hosts/desktop/home-manager/zen/chrome/zen-logo.svg
+++ b/hosts/desktop/home-manager/zen/chrome/zen-logo.svg
@ -0,0 +1,13 @@
+<svg width="1024" height="1024" viewBox="0 0 1024 1024" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <g clip-path="url(#clip0_15_9)">
+    <rect width="1024" height="1024" rx="225" fill="#11111b"/>
+    <circle cx="512" cy="512" r="340" stroke="#cdd6f4" stroke-width="70"/>
+    <circle cx="512" cy="512" r="224.915" stroke="#cdd6f4" stroke-width="51"/>
+    <circle cx="512" cy="512" r="129.018" stroke="#cdd6f4" stroke-width="31"/>
+  </g>
+  <defs>
+    <clipPath id="clip0_15_9">
+      <rect width="1024" height="1024" fill="white"/>
+    </clipPath>
+  </defs>
+</svg>
--- a/hosts/desktop/home-manager/zen/default.nix
+++ b/hosts/desktop/home-manager/zen/default.nix
@ -0,0 +1,7 @@
+{
+  # TODO merge with shared
+  home.file.".zen/audtxq7n.default/chrome" = {
+    source = ./chrome;
+    recursive = true;
+  };
+}
--- a/hosts/pi4/actual.nix
+++ b/hosts/pi4/actual.nix
@ -0,0 +1,44 @@
+{ config, common, ... }:
+let
+  domain = "beta.budget.${common.domain}";
+  port = 8084;
+in
+{
+  networking.nat = {
+    enable = false;
+    internalInterfaces = [ "ve-*" ];
+    externalInterface = "wlan0";
+    # Lazy IPv6 connectivity for the container
+    enableIPv6 = true;
+  };
+
+  containers.actual = {
+    autoStart = false;
+    privateNetwork = true;
+    hostAddress = "192.168.10.188";
+    localAddress = "192.168.10.11";
+    config =
+      { ... }:
+      {
+        networking.firewall.allowedTCPPorts = [ port ];
+        services = {
+          actual = {
+            enable = false;
+            settings = {
+              inherit port;
+              loginMethod = "password";
+            };
+          };
+        };
+        system.stateVersion = common.system.version;
+      };
+  };
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${config.containers.actual.localAddress}:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+}
--- a/hosts/pi4/boot.nix
+++ b/hosts/pi4/boot.nix
@ -0,0 +1,16 @@
+{ pkgs, ... }:
+
+{
+  boot = {
+    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
+    initrd.availableKernelModules = [
+      "xhci_pci"
+      "usbhid"
+      "usb_storage"
+    ];
+    loader = {
+      grub.enable = false;
+      generic-extlinux-compatible.enable = true;
+    };
+  };
+}
--- a/hosts/pi4/caddy.nix
+++ b/hosts/pi4/caddy.nix
@ -0,0 +1,91 @@
+{ common, ... }:
+let
+  domain = common.domain;
+in
+{
+  services.caddy = {
+    enable = false;
+    email = "cert@${domain}";
+    virtualHosts =
+      let
+        localProxy = proxyTo "localhost";
+        homelabProxy = proxyTo "192.168.10.231";
+        proxyTo = ip: port: "reverse_proxy ${ip}:${builtins.toString port}";
+        redirect = subdomain: "redir https://${subdomain}.${domain}{uri}";
+      in
+      {
+        "beta.${domain}".extraConfig = ''
+          redir https://${domain}{uri}
+        '';
+        "git.${domain}".extraConfig = ''
+          ${redirect "code"}
+        '';
+        "kitchenowl.${domain}".extraConfig = ''
+          ${redirect "grocery"}
+        '';
+        # Gitea
+        "code.${domain}".extraConfig = ''
+          ${homelabProxy 3000}
+        '';
+        # Forgejo
+        "beta.code.${domain}".extraConfig = ''
+          ${localProxy 8001}
+        '';
+        # Nextcloud
+        "nextcloud.${domain}".extraConfig = ''
+          redir /.well-known/carddav /remote.php/dav 301
+          redir /.well-known/caldav /remote.php/dav 301
+          ${homelabProxy 11000}
+        '';
+        # Kitchenowl
+        "grocery.${domain}".extraConfig = ''
+          ${homelabProxy 800}
+        '';
+        # Actual Budget
+        "budget.${domain}".extraConfig = ''
+          ${homelabProxy 5006}
+        '';
+        # Uptime Kuma
+        "status.${domain}".extraConfig = ''
+          ${homelabProxy 3001}
+        '';
+        # Headscale
+        "vpn.${domain}".extraConfig = ''
+          reverse_proxy /web* 192.168.10.231:8084
+          reverse_proxy * 192.168.10.231:8082
+        '';
+        # Headscale SmartDNS
+        "dns.${domain}".extraConfig = ''
+          ${homelabProxy 8082}
+        '';
+        # FreshRSS
+        "rss.${domain}".extraConfig = ''
+          ${homelabProxy 8085}
+        '';
+        # Ente backend
+        "api.ente.${domain}".extraConfig = ''
+          ${homelabProxy 8083}
+        '';
+        # Ente Photos frontend
+        "ente.${domain}".extraConfig = ''
+          ${homelabProxy 3003}
+        '';
+        # Ente Auth frontend
+        "mfa.${domain}".extraConfig = ''
+          ${homelabProxy 3004}
+        '';
+        # Homepage / portfolio
+        "${domain}".extraConfig = ''
+          ${homelabProxy 4321}
+        '';
+        # Yamtrack
+        "track.${domain}".extraConfig = ''
+          ${homelabProxy 8090}
+        '';
+        # Donetick
+        "chore.${domain}".extraConfig = ''
+          ${homelabProxy 2021}
+        '';
+      };
+  };
+}
--- a/hosts/pi4/default.nix
+++ b/hosts/pi4/default.nix
@ -0,0 +1,20 @@
+{ lib, ... }:
+
+{
+  imports = with lib.custom; [
+    (relativeToBase "modules")
+    ./actual.nix
+    ./boot.nix
+    ./caddy.nix
+    ./forgejo.nix
+    ./hardware.nix
+    ./headscale.nix
+    ./home-assitant.nix
+    ./mailserver.nix
+    ./nextcloud.nix
+    ./nginx.nix
+    ./podman.nix
+    ./postgres.nix
+    ./security
+  ];
+}
--- a/hosts/pi4/forgejo.nix
+++ b/hosts/pi4/forgejo.nix
@ -0,0 +1,94 @@
+{
+  config,
+  pkgs,
+  lib,
+  systemConfig,
+  common,
+  ...
+}:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+  domain = "beta.code.${common.domain}";
+  passwordKey = "forgejo/admin-pass";
+  runnerTokenKey = "forgejo/runner-token";
+in
+{
+  services = {
+    nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString srv.HTTP_PORT}";
+      serverAliases = [ "beta.git.${common.domain}" ];
+    };
+
+    forgejo = {
+      enable = true;
+      database.type = "postgres";
+      # Enable support for Git Large File Storage
+      lfs.enable = true;
+
+      secrets.mailer.PASSWD = config.sops.secrets."mailserver/password-hash".path;
+
+      settings = {
+        server = {
+          DOMAIN = domain;
+          # You need to specify this to remove the port from URLs in the web UI.
+          ROOT_URL = "https://${domain}/";
+          HTTP_PORT = 8002;
+        };
+        # You can temporarily allow registration to create an admin user.
+        service.DISABLE_REGISTRATION = true;
+        # Add support for actions, based on act: https://github.com/nektos/act
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+        # Sending emails is completely optional
+        # You can send a test email from the web UI at:
+        # Profile Picture > Site Administration > Configuration >  Mailer Configuration
+        mailer = lib.mkIf config.mailserver.enable {
+          ENABLED = true;
+          PROTOCOL = "smtps";
+          SMTP_ADDR = config.mailserver.fqdn;
+          FROM = "noreply-forgejo@${common.domain}";
+          USER = "${systemConfig.username}@${common.domain}";
+        };
+      };
+    };
+    gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        name = "monolith";
+        url = "https://${domain}";
+        # Obtaining the path to the runner token file may differ
+        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+        tokenFile = config.sops.secrets.${runnerTokenKey}.path;
+        labels = [
+          "docker:docker://node:20-bullseye"
+          "native:host"
+        ];
+      };
+    };
+  };
+
+  sops.secrets = {
+    ${passwordKey}.owner = "forgejo";
+    ${runnerTokenKey}.owner = "forgejo";
+  };
+
+  # Create a single admin user / update password if exists
+  systemd.services.forgejo.preStart =
+    let
+      adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
+      pwd = config.sops.secrets.${passwordKey};
+      user = "martin"; # Note, Forgejo doesn't allow creation of an account named "admin"
+      email = "git@${common.domain}";
+    in
+    ''
+      ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+      ## Alter an existing user. Will prompt new password on login
+      # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+    '';
+}
--- a/hosts/pi4/hardware.nix
+++ b/hosts/pi4/hardware.nix
@ -0,0 +1,12 @@
+{
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+      options = [ "noatime" ];
+    };
+    # TODO mount ext hdd
+  };
+
+  hardware.enableRedistributableFirmware = true;
+}
--- a/hosts/pi4/headscale.nix
+++ b/hosts/pi4/headscale.nix
@ -0,0 +1,66 @@
+{
+  config,
+  common,
+  ...
+}:
+let
+  cfg = config.services.headscale;
+
+  domain = "beta.vpn.${common.domain}";
+  dnsDomain = "secure.${common.domain}";
+in
+{
+  networking.firewall = {
+    trustedInterfaces = [ config.services.tailscale.interfaceName ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
+
+  services = {
+    headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 8083;
+      settings = {
+        database = {
+          postgres = {
+            host = "/run/postgresql";
+            name = "headscale";
+            port = config.services.postgresql.settings.port;
+            user = cfg.user;
+          };
+          type = "postgres";
+        };
+        dns = {
+          base_domain = dnsDomain;
+          magic_dns = true;
+        };
+        logtail.enabled = false;
+        server_url = "https://${domain}";
+      };
+    };
+
+    nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.headscale.port}";
+        proxyWebsockets = true;
+      };
+    };
+
+    postgresql =
+      let
+        psql = cfg.settings.database.postgres;
+      in
+      {
+        ensureDatabases = [ psql.name ];
+        ensureUsers = [
+          {
+            name = psql.user;
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+  };
+
+}
--- a/hosts/pi4/home-assitant.nix
+++ b/hosts/pi4/home-assitant.nix
@ -0,0 +1,73 @@
+{ pkgs, common, ... }:
+let
+  dbName = "hass";
+  domain = "beta.home.${common.domain}";
+  port = 8085;
+in
+{
+
+  services = {
+    home-assistant = {
+      enable = true;
+      package =
+        (pkgs.home-assistant.override {
+          extraPackages =
+            py: with py; [
+              # Postgres
+              psycopg2
+              # Roomba
+              roombapy
+            ];
+        }).overrideAttrs
+          (oldAttrs: {
+            # Avoid long install checks
+            doInstallCheck = false;
+          });
+      extraComponents = [
+        # Components required to complete the onboarding
+        "esphome"
+        "met"
+        "radio_browser"
+      ];
+      config = {
+        # Includes dependencies for a basic setup
+        # https://www.home-assistant.io/integrations/default_config/
+        default_config = { };
+        homeassistant = {
+          name = "Hjem";
+          unit_system = "metric";
+          temperature_unit = "C";
+        };
+        http = {
+          server_host = "::1";
+          trusted_proxies = [ "::1" ];
+          use_x_forwarded_for = true;
+          server_port = port;
+        };
+        recorder.db_url = "postgresql://@/${dbName}";
+      };
+    };
+
+    nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        proxy_buffering off;
+      '';
+      locations."/" = {
+        proxyPass = "http://[::1]:${toString port}";
+        proxyWebsockets = true;
+      };
+    };
+    postgresql = {
+      enable = true;
+      ensureDatabases = [ dbName ];
+      ensureUsers = [
+        {
+          name = dbName;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+  };
+}
--- a/hosts/pi4/home-manager/default.nix
+++ b/hosts/pi4/home-manager/default.nix
@ -0,0 +1,9 @@
+{ lib, ... }:
+
+{
+  imports = with lib.custom; [
+    (relativeToBase "home-manager")
+  ];
+
+  programs.git.signing.key = "E3FA0E995C0D0E5E";
+}
--- a/hosts/pi4/mailserver.nix
+++ b/hosts/pi4/mailserver.nix
@ -0,0 +1,44 @@
+{
+  config,
+  inputs,
+  common,
+  systemConfig,
+  ...
+}:
+let
+  passwordHashKey = "mailserver/password-hash";
+in
+{
+  imports = [
+    inputs.simple-nixos-mailserver.nixosModule
+  ];
+
+  mailserver = {
+    enable = false;
+    # stateVersion = 1; TODO uncomment on 25.11
+    fqdn = "mail.${common.domain}";
+    domains = [
+      common.domain
+    ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+    loginAccounts = {
+      "${systemConfig.username}@${common.domain}" = {
+        hashedPasswordFile = config.sops.secrets.${passwordHashKey}.path;
+      };
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = "acme-nginx";
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    25
+    465
+    587
+  ];
+
+  sops.secrets.${passwordHashKey}.neededForUsers = true;
+}
--- a/hosts/pi4/nextcloud.nix
+++ b/hosts/pi4/nextcloud.nix
@ -0,0 +1,90 @@
+# https://mich-murphy.com/configure-nextcloud-nixos/
+{
+  pkgs,
+  config,
+  common,
+  ...
+}:
+let
+  adminPassKey = "nextcloud/admin-pass";
+  domain = "beta.nextcloud.${common.domain}";
+  dbname = "nextcloud";
+  dbuser = dbname;
+in
+{
+  security.acme = {
+    acceptTerms = true;
+    certs.${config.services.nextcloud.hostName}.email = "acme@${common.domain}";
+  };
+
+  services = {
+    nextcloud = {
+      enable = true;
+
+      autoUpdateApps.enable = true;
+
+      config = {
+        adminpassFile = config.sops.secrets.${adminPassKey}.path;
+        dbtype = "pgsql";
+        dbname = dbname;
+        dbuser = dbuser;
+        # default directory for postgresql, ensures automatic setup of db
+        dbhost = "/run/postgresql";
+        adminuser = "admin";
+      };
+
+      extraApps = {
+        inherit (config.services.nextcloud.package.packages.apps)
+          contacts
+          deck
+          notes
+          tasks
+          ;
+      };
+      extraAppsEnable = true;
+
+      hostName = domain;
+      https = true;
+
+      maxUploadSize = "0"; # No max limit
+      package = pkgs.nextcloud31;
+
+      settings = {
+        default_phone_region = "NO";
+        trusted_domains = [
+          domain
+        ];
+      };
+    };
+
+    nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+      forceSSL = true;
+      enableACME = true;
+    };
+
+    postgresql = {
+      ensureDatabases = [ dbname ];
+      ensureUsers = [
+        {
+          name = dbuser;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+    postgresqlBackup = {
+      enable = true;
+      location = "/data/backup/nextclouddb";
+      databases = [ dbname ];
+      # time to start backup in systemd.time format
+      startAt = "*-*-* 23:15:00";
+    };
+  };
+
+  sops.secrets.${adminPassKey}.neededForUsers = true;
+
+  # ensure postgresql db is started with nextcloud
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+}
--- a/hosts/pi4/nginx.nix
+++ b/hosts/pi4/nginx.nix
@ -0,0 +1,94 @@
+{
+  common,
+  ...
+}:
+let
+  domain = common.domain;
+  proxyTo = address: port: {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "${address}:${builtins.toString port}";
+  };
+  proxyLocations = locations: {
+    enableACME = true;
+    forceSSL = true;
+    inherit locations;
+  };
+  homelab = "http://${common.localIpAddr 231}";
+  homelabProxy = proxyTo homelab; # TODO get homelab local ip from systems
+  redirect = subdomain: {
+    enableACME = true;
+    forceSSL = true;
+    globalRedirect = if subdomain == "" then domain else "${subdomain}.${domain}";
+  };
+in
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      # Beta is currently stable
+      "www.${domain}" = redirect "";
+      "beta.${domain}" = redirect "";
+      "dev.${domain}" = homelabProxy 4322;
+      "git.${domain}" = redirect "code";
+      "kitchenowl.${domain}" = redirect "grocery";
+      # Gitea
+      "code.${domain}" = homelabProxy 3000;
+      # Nextcloud
+      "nextcloud.${domain}" = proxyLocations {
+        "/".proxyPass = "${homelab}:11000";
+        "/.well-known/carddav".return = "301 /remote.php/dav";
+        "/.well-known/caldav".return = "301 /remote.php/dav";
+      };
+      # Kitchenowl
+      "grocery.${domain}" = homelabProxy 800;
+      # Actual budget
+      "budget.${domain}" = homelabProxy 5006;
+      # Uptime Kuma
+      "status.${domain}" = homelabProxy 3001;
+      # Headscale
+      "vpn.${domain}" = proxyLocations {
+        "/web".proxyPass = "${homelab}:8084";
+        "/" = {
+          proxyPass = "${homelab}:8082";
+          extraConfig = ''
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_redirect http:// https://;
+            proxy_buffering off;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+          '';
+        };
+      };
+      # Headscale SmartDNS
+      "dns.${domain}" = homelabProxy 8082;
+      # FreshRSS
+      "rss.${domain}" = homelabProxy 8085;
+      # Ente backend
+      "api.ente.${domain}" = homelabProxy 8083;
+      # Ente Photos frontend
+      "ente.${domain}" = homelabProxy 3003;
+      # Ente Auth frontend
+      "mfa.${domain}" = homelabProxy 3004;
+      # Homepage / portfolio
+      "${domain}" = homelabProxy 4321;
+      # Yamtrack
+      "track.${domain}" = homelabProxy 8090;
+      # Donetick
+      "chore.${domain}" = homelabProxy 2021;
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@${domain}";
+  };
+}
--- a/hosts/pi4/podman.nix
+++ b/hosts/pi4/podman.nix
@ -0,0 +1,23 @@
+{ pkgs, ... }:
+
+{
+  virtualisation = {
+    # Enable common container config files in /etc/containers
+    containers.enable = true;
+    podman = {
+      enable = true;
+
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+
+  # Useful other development tools
+  environment.systemPackages = with pkgs; [
+    podman-tui # status of containers in the terminal
+    podman-compose # start group of containers for dev
+  ];
+}
--- a/hosts/pi4/postgres.nix
+++ b/hosts/pi4/postgres.nix
@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database  DBuser        auth-method
+      local all       all           trust
+    '';
+  };
+}
--- a/hosts/pi4/security/default.nix
+++ b/hosts/pi4/security/default.nix
@ -0,0 +1,22 @@
+{ systemConfig, ... }:
+
+{
+  imports = [
+    ./firewall.nix
+  ];
+
+  security.sudo.extraRules = [
+    {
+      users = [ systemConfig.username ];
+      runAs = "ALL:ALL";
+      commands = [
+        {
+          command = "ALL";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
+
+  services.pcscd.enable = true;
+}
--- a/hosts/pi4/security/firewall.nix
+++ b/hosts/pi4/security/firewall.nix
@ -0,0 +1,17 @@
+{ common, ... }:
+
+{
+  networking = {
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        80
+        443
+      ];
+      extraInputRules = ''
+        ip saddr ${common.localIpRange} accept
+      '';
+    };
+    nftables.enable = true;
+  };
+}
--- a/hosts/thinkpad/battery.nix
+++ b/hosts/thinkpad/battery.nix
@ -0,0 +1,6 @@
+{
+  services = {
+    upower.enable = true;
+    power-profiles-daemon.enable = true;
+  };
+}
--- a/hosts/thinkpad/bluetooth.nix
+++ b/hosts/thinkpad/bluetooth.nix
@ -0,0 +1,14 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = [
+    pkgs.bluez
+  ];
+
+  hardware.bluetooth = {
+    enable = true;
+    powerOnBoot = true; # powers up the default Bluetooth controller on boot
+  };
+
+  services.blueman.enable = true;
+}
--- a/hosts/thinkpad/common.nix
+++ b/hosts/thinkpad/common.nix
@ -0,0 +1,4 @@
+{
+  # Empty matches all monitors
+  monitor1 = "";
+}
--- a/hosts/thinkpad/default.nix
+++ b/hosts/thinkpad/default.nix
@ -0,0 +1,23 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+
+{
+  imports = [
+    (lib.custom.relativeToDesktop "modules")
+    ./battery.nix
+    ./bluetooth.nix
+    ./hardware-configuration.nix
+    ./security.nix
+  ];
+
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  environment.systemPackages = with pkgs; [
+    brightnessctl
+    hyprsunset # Blue light filter
+  ];
+
+}
--- a/hosts/thinkpad/hardware-configuration.nix
+++ b/hosts/thinkpad/hardware-configuration.nix
@ -0,0 +1,57 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "usb_storage"
+    "sd_mod"
+    "sdhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/5ac9c425-35ae-47d5-a683-68ee0dbfc2bc";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices."luks-99b73f22-3fa1-42b5-ad48-54b0ccff72cc".device =
+    "/dev/disk/by-uuid/99b73f22-3fa1-42b5-ad48-54b0ccff72cc";
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/3CFB-D12A";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp2s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/thinkpad/home-manager/default.nix
+++ b/hosts/thinkpad/home-manager/default.nix
@ -0,0 +1,14 @@
+{
+  lib,
+  ...
+}:
+
+{
+  imports = [
+    (lib.custom.relativeToDesktop "home-manager")
+    ./hyprland
+    ./zen
+  ];
+
+  programs.git.signing.key = "848D71DE0590C199";
+}
--- a/hosts/thinkpad/home-manager/hyprland/default.nix
+++ b/hosts/thinkpad/home-manager/hyprland/default.nix
@ -0,0 +1,8 @@
+# Home configurations for Hyprland. For system configs, see ./modules/hyprland
+{
+  imports = [
+    ./hyprlock.nix
+    ./hyprpanel.nix
+    ./settings.nix
+  ];
+}
--- a/hosts/thinkpad/home-manager/hyprland/hyprlock.nix
+++ b/hosts/thinkpad/home-manager/hyprland/hyprlock.nix
@ -0,0 +1,15 @@
+{ pkgs, lib, ... }:
+
+{
+  # TODO fingerprint prompt using $FPRINTPROMPT
+  programs.hyprlock = {
+    package = pkgs.unstable.hyprlock;
+    settings = {
+      auth."fingerprint:enabled" = true;
+      # Override removed settings shared config
+      general = lib.mkForce {
+        hide_cursor = true;
+      };
+    };
+  };
+}
--- a/hosts/thinkpad/home-manager/hyprland/hyprpanel.nix
+++ b/hosts/thinkpad/home-manager/hyprland/hyprpanel.nix
@ -0,0 +1,16 @@
+{
+  lib,
+  ...
+}:
+
+{
+  programs.hyprpanel.settings.bar.layouts."*".right = lib.mkForce [
+    "kbinput"
+    "volume"
+    "network"
+    "systray"
+    "clock"
+    "battery"
+    "notifications"
+  ];
+}
--- a/hosts/thinkpad/home-manager/hyprland/settings.nix
+++ b/hosts/thinkpad/home-manager/hyprland/settings.nix
@ -0,0 +1,33 @@
+{
+  lib,
+  ...
+}:
+
+{
+  wayland.windowManager.hyprland.settings = {
+    monitor =
+      let
+        common = import ../../common.nix;
+      in
+      lib.mkForce [
+        "${common.monitor1}, 1920x1080@60.05, 0x0, 1"
+      ];
+
+    # Autostart
+    exec-once = [
+      "hyprsunset -t 5000" # Set blue light filter
+    ];
+
+    input = {
+      sensitivity = lib.mkForce 0.4; # -1.0 - 1.0, 0 means no modification.
+      touchpad.natural_scroll = lib.mkForce true;
+    };
+
+    gestures = {
+      workspace_swipe = lib.mkForce true;
+      workspace_swipe_distance = lib.mkForce 150;
+      workspace_swipe_min_speed_to_force = lib.mkForce 0;
+      workspace_swipe_cancel_ratio = lib.mkForce 0.5;
+    };
+  };
+}
--- a/hosts/thinkpad/home-manager/zen/chrome/userChrome.css
+++ b/hosts/thinkpad/home-manager/zen/chrome/userChrome.css
@ -0,0 +1,113 @@
+/* Catppuccin Mocha Blue userChrome.css*/
+
+@media (prefers-color-scheme: dark) {
+  :root {
+    --zen-colors-primary: #313244 !important;
+    --zen-primary-color: #89b4fa !important;
+    --zen-colors-secondary: #313244 !important;
+    --zen-colors-tertiary: #181825 !important;
+    --zen-colors-border: #89b4fa !important;
+    --toolbarbutton-icon-fill: #89b4fa !important;
+    --lwt-text-color: #cdd6f4 !important;
+    --toolbar-field-color: #cdd6f4 !important;
+    --tab-selected-textcolor: rgb(171, 197, 247) !important;
+    --toolbar-field-focus-color: #cdd6f4 !important;
+    --toolbar-color: #cdd6f4 !important;
+    --newtab-text-primary-color: #cdd6f4 !important;
+    --arrowpanel-color: #cdd6f4 !important;
+    --arrowpanel-background: #1e1e2e !important;
+    --sidebar-text-color: #cdd6f4 !important;
+    --lwt-sidebar-text-color: #cdd6f4 !important;
+    --lwt-sidebar-background-color: #11111b !important;
+    --toolbar-bgcolor: #313244 !important;
+    --newtab-background-color: #1e1e2e !important;
+    --zen-themed-toolbar-bg: #181825 !important;
+    --zen-main-browser-background: #181825 !important;
+  }
+
+  #permissions-granted-icon {
+    color: #181825 !important;
+  }
+
+  .sidebar-placesTree {
+    background-color: #1e1e2e !important;
+  }
+
+  #zen-workspaces-button {
+    background-color: #1e1e2e !important;
+  }
+
+  #TabsToolbar {
+    background-color: #181825 !important;
+  }
+
+  #urlbar-background {
+    background-color: #1e1e2e !important;
+  }
+
+  .content-shortcuts {
+    background-color: #1e1e2e !important;
+    border-color: #89b4fa !important;
+  }
+
+  .urlbarView-url {
+    color: #89b4fa !important;
+  }
+
+  #zenEditBookmarkPanelFaviconContainer {
+    background: #11111b !important;
+  }
+
+  toolbar .toolbarbutton-1 {
+    &:not([disabled]) {
+      &:is([open], [checked])
+        > :is(
+          .toolbarbutton-icon,
+          .toolbarbutton-text,
+          .toolbarbutton-badge-stack
+        ) {
+        fill: #11111b;
+      }
+    }
+  }
+
+  .identity-color-blue {
+    --identity-tab-color: #89b4fa !important;
+    --identity-icon-color: #89b4fa !important;
+  }
+
+  .identity-color-turquoise {
+    --identity-tab-color: #94e2d5 !important;
+    --identity-icon-color: #94e2d5 !important;
+  }
+
+  .identity-color-green {
+    --identity-tab-color: #a6e3a1 !important;
+    --identity-icon-color: #a6e3a1 !important;
+  }
+
+  .identity-color-yellow {
+    --identity-tab-color: #f9e2af !important;
+    --identity-icon-color: #f9e2af !important;
+  }
+
+  .identity-color-orange {
+    --identity-tab-color: #fab387 !important;
+    --identity-icon-color: #fab387 !important;
+  }
+
+  .identity-color-red {
+    --identity-tab-color: #f38ba8 !important;
+    --identity-icon-color: #f38ba8 !important;
+  }
+
+  .identity-color-pink {
+    --identity-tab-color: #f5c2e7 !important;
+    --identity-icon-color: #f5c2e7 !important;
+  }
+
+  .identity-color-purple {
+    --identity-tab-color: #cba6f7 !important;
+    --identity-icon-color: #cba6f7 !important;
+  }
+}
--- a/hosts/thinkpad/home-manager/zen/chrome/userContent.css
+++ b/hosts/thinkpad/home-manager/zen/chrome/userContent.css
@ -0,0 +1,157 @@
+/* Catppuccin Mocha Blue userContent.css*/
+
+@media (prefers-color-scheme: dark) {
+  /* Common variables affecting all pages */
+  @-moz-document url-prefix("about:") {
+    :root {
+      --in-content-page-color: #cdd6f4 !important;
+      --color-accent-primary: #89b4fa !important;
+      --color-accent-primary-hover: rgb(163, 197, 251) !important;
+      --color-accent-primary-active: rgb(138, 153, 250) !important;
+      background-color: #1e1e2e !important;
+      --in-content-page-background: #1e1e2e !important;
+    }
+  }
+
+  /* Variables and styles specific to about:newtab and about:home */
+  @-moz-document url("about:newtab"), url("about:home") {
+    :root {
+      --newtab-background-color: #1e1e2e !important;
+      --newtab-background-color-secondary: #313244 !important;
+      --newtab-element-hover-color: #313244 !important;
+      --newtab-text-primary-color: #cdd6f4 !important;
+      --newtab-wordmark-color: #cdd6f4 !important;
+      --newtab-primary-action-background: #89b4fa !important;
+    }
+
+    .icon {
+      color: #89b4fa !important;
+    }
+
+    .search-wrapper .logo-and-wordmark .logo {
+      background: url("zen-logo-mocha.svg"),
+        url("https://raw.githubusercontent.com/IAmJafeth/zen-browser/main/themes/Mocha/Blue/zen-logo-mocha.svg")
+        no-repeat center !important;
+      display: inline-block !important;
+      height: 82px !important;
+      width: 82px !important;
+      background-size: 82px !important;
+    }
+
+    @media (max-width: 609px) {
+      .search-wrapper .logo-and-wordmark .logo {
+        background-size: 64px !important;
+        height: 64px !important;
+        width: 64px !important;
+      }
+    }
+
+    .card-outer:is(:hover, :focus, .active):not(.placeholder) .card-title {
+      color: #89b4fa !important;
+    }
+
+    .top-site-outer .search-topsite {
+      background-color: #89b4fa !important;
+    }
+
+    .compact-cards .card-outer .card-context .card-context-icon.icon-download {
+      fill: #a6e3a1 !important;
+    }
+  }
+
+  /* Variables and styles specific to about:preferences */
+  @-moz-document url-prefix("about:preferences") {
+    :root {
+      --zen-colors-tertiary: #181825 !important;
+      --in-content-text-color: #cdd6f4 !important;
+      --link-color: #89b4fa !important;
+      --link-color-hover: rgb(163, 197, 251) !important;
+      --zen-colors-primary: #313244 !important;
+      --in-content-box-background: #313244 !important;
+      --zen-primary-color: #89b4fa !important;
+    }
+
+    groupbox,
+    moz-card {
+      background: #1e1e2e !important;
+    }
+
+    button,
+    groupbox menulist {
+      background: #313244 !important;
+      color: #cdd6f4 !important;
+    }
+
+    .main-content {
+      background-color: #11111b !important;
+    }
+
+    .identity-color-blue {
+      --identity-tab-color: #8aadf4 !important;
+      --identity-icon-color: #8aadf4 !important;
+    }
+
+    .identity-color-turquoise {
+      --identity-tab-color: #8bd5ca !important;
+      --identity-icon-color: #8bd5ca !important;
+    }
+
+    .identity-color-green {
+      --identity-tab-color: #a6da95 !important;
+      --identity-icon-color: #a6da95 !important;
+    }
+
+    .identity-color-yellow {
+      --identity-tab-color: #eed49f !important;
+      --identity-icon-color: #eed49f !important;
+    }
+
+    .identity-color-orange {
+      --identity-tab-color: #f5a97f !important;
+      --identity-icon-color: #f5a97f !important;
+    }
+
+    .identity-color-red {
+      --identity-tab-color: #ed8796 !important;
+      --identity-icon-color: #ed8796 !important;
+    }
+
+    .identity-color-pink {
+      --identity-tab-color: #f5bde6 !important;
+      --identity-icon-color: #f5bde6 !important;
+    }
+
+    .identity-color-purple {
+      --identity-tab-color: #c6a0f6 !important;
+      --identity-icon-color: #c6a0f6 !important;
+    }
+  }
+
+  /* Variables and styles specific to about:addons */
+  @-moz-document url-prefix("about:addons") {
+    :root {
+      --zen-dark-color-mix-base: #181825 !important;
+      --background-color-box: #1e1e2e !important;
+    }
+  }
+
+  /* Variables and styles specific to about:protections */
+  @-moz-document url-prefix("about:protections") {
+    :root {
+      --zen-primary-color: #1e1e2e !important;
+      --social-color: #cba6f7 !important;
+      --coockie-color: #89dceb !important;
+      --fingerprinter-color: #f9e2af !important;
+      --cryptominer-color: #b4befe !important;
+      --tracker-color: #a6e3a1 !important;
+      --in-content-primary-button-background-hover: rgb(81, 83, 105) !important;
+      --in-content-primary-button-text-color-hover: #cdd6f4 !important;
+      --in-content-primary-button-background: #45475a !important;
+      --in-content-primary-button-text-color: #cdd6f4 !important;
+    }
+
+    .card {
+      background-color: #313244 !important;
+    }
+  }
+}
--- a/hosts/thinkpad/home-manager/zen/chrome/zen-logo.svg
+++ b/hosts/thinkpad/home-manager/zen/chrome/zen-logo.svg
@ -0,0 +1,13 @@
+<svg width="1024" height="1024" viewBox="0 0 1024 1024" fill="none" xmlns="http://www.w3.org/2000/svg">
+  <g clip-path="url(#clip0_15_9)">
+    <rect width="1024" height="1024" rx="225" fill="#11111b"/>
+    <circle cx="512" cy="512" r="340" stroke="#cdd6f4" stroke-width="70"/>
+    <circle cx="512" cy="512" r="224.915" stroke="#cdd6f4" stroke-width="51"/>
+    <circle cx="512" cy="512" r="129.018" stroke="#cdd6f4" stroke-width="31"/>
+  </g>
+  <defs>
+    <clipPath id="clip0_15_9">
+      <rect width="1024" height="1024" fill="white"/>
+    </clipPath>
+  </defs>
+</svg>
--- a/hosts/thinkpad/home-manager/zen/default.nix
+++ b/hosts/thinkpad/home-manager/zen/default.nix
@ -0,0 +1,7 @@
+{
+  # TODO merge with shared
+  home.file.".zen/xdaxqlov.default/chrome" = {
+    source = ./chrome;
+    recursive = true;
+  };
+}
--- a/hosts/thinkpad/security.nix
+++ b/hosts/thinkpad/security.nix
@ -0,0 +1,38 @@
+{ pkgs, ... }:
+
+{
+  security = {
+    pam.services = {
+      gdm-fingerprint.text = ''
+        auth       required                    pam_shells.so
+        auth       requisite                   pam_nologin.so
+        auth       requisite                   pam_faillock.so      preauth
+        auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
+        auth       optional                    pam_permit.so
+        auth       required                    pam_env.so
+        auth       [success=ok default=1]      ${pkgs.gdm}/lib/security/pam_gdm.so
+        auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
+
+        account    include                     login
+
+        password   required                    pam_deny.so
+
+        session    include                     login
+        session    optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
+      '';
+      login.fprintAuth = false;
+    };
+  };
+
+  # Start the driver at boot
+  systemd.services.fprintd = {
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig.Type = "simple";
+  };
+
+  # Install the driver
+  services.fprintd = {
+    enable = true;
+    tod.driver = pkgs.libfprint-2-tod1-goodix-550a; # Goodix 550a driver (from Lenovo)
+  };
+}
--- a/88
+++ b/88
@ -0,0 +1,88 @@
+# List all receipes
+default:
+    @just --list
+
+# Format all files in repo
+fmt:
+    treefmt --on-unmatched info
+
+# Clean user files
+clean-user:
+    nh clean user
+
+# Clean all files
+clean-all:
+    nh clean all
+
+# Build a specific host but don't activate it. Host must use same system as target system
+build HOST:
+    git add .
+    just fmt
+    nh os build . -H {{HOST}}
+
+# Switch to new config, but don't add to bootloader
+test *FLAGS:
+    git add .
+    just fmt
+    nh os test . {{FLAGS}}
+
+# Add new configuration to bootloader, but don't activate it now
+boot *FLAGS:
+    git add .
+    just fmt
+    nh os test . {{FLAGS}}
+
+# Switch to new config and add to bootloader
+switch *FLAGS:
+    git add .
+    just fmt
+    nh os switch . {{FLAGS}}
+
+# Switch to new config and add to bootloader without formatting or adding to git
+switch-now *FLAGS:
+    nh os switch . {{FLAGS}}
+
+update-all *FLAGS:
+    nix flake update
+    just switch {{FLAGS}}
+
+update PKG:
+    nix flake update {{PKG}}
+    just switch
+
+# Encrypt all files in the repo using git-crypt
+lock:
+    git-crypt lock
+
+# Decrypt all files in the repo using git-crypt and the user's GPG key
+unlock:
+    git-crypt unlock ~/.config/git/crypt-key
+
+# Connect to tailnet or sign-in if not registered
+start-tailscale:
+    tailscale up --login-server https://vpn.martials.no
+
+# Generate a new SSH key without passphrase
+generate-ssh:
+    ssh-keygen -t ed25519 -a 32 -f ~/.ssh/id_ed25519 -P ""
+
+# Generate a new age key from an existing ssh key (without passphrase)
+generate-age-from-ssh:
+    mkdir -p ~/.config/sops/age
+    nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
+
+# Get a public age key from an existing age private key
+get-public-age-key:
+    nix shell nixpkgs#age -c age-keygen -y ~/.config/sops/age/keys.txt
+
+# Get the public ssh key from the current user
+get-public-ssh-key:
+    cat ~/.ssh/id_ed25519.pub
+
+# Edit the SOPS secrets file
+edit-secrets:
+    nix run nixpkgs#sops -- shared/secrets/secrets.yaml
+
+# Hash a string using the mkpasswd command
+hash PASS:
+    echo "{{PASS}}" | mkpasswd -s
--- a/lib/default.nix
+++ b/lib/default.nix
@ -0,0 +1,27 @@
+# FIXME(lib.custom): Add some stuff from hmajid2301/dotfiles/lib/module/default.nix, as simplifies option declaration
+{ lib, ... }:
+with builtins;
+
+{
+  getSecret = with lib.strings; filePath: trim (removeSuffix "\n" (readFile filePath));
+
+  # use path relative to the root of the project
+  relativeToRoot = lib.path.append ../.;
+  relativeToBase = lib.path.append ../shared/base;
+  relativeToDesktop = lib.path.append ../shared/desktop;
+
+  scanPaths =
+    path:
+    map (f: (path + "/${f}")) (
+      attrNames (
+        lib.attrsets.filterAttrs (
+          path: _type:
+          (_type == "directory") # include directories
+          || (
+            (path != "default.nix") # ignore default.nix
+            && (lib.strings.hasSuffix ".nix" path) # include .nix files
+          )
+        ) (readDir path)
+      )
+    );
+}
--- a/overlays.nix
+++ b/overlays.nix
@ -0,0 +1,11 @@
+{ inputs, ... }:
+
+{
+  # Gives access to unstable packages everywhere
+  unstable-packages = final: _prev: {
+    unstable = import inputs.nixpkgs-unstable {
+      system = final.system;
+      config.allowUnfree = true;
+    };
+  };
+}
--- a/1
+++ b/1
@ -1 +0,0 @@
-/nix/store/1q8w6gl1ll0mwfkqc3c2yx005s6wwfrl-hello-2.12.1
--- a/shared/assets/Catppuccin.png
+++ b/shared/assets/Catppuccin.png
--- a/shared/assets/catppuccin_high.png
+++ b/shared/assets/catppuccin_high.png
--- a/shared/assets/catppuccin_page_curl.png
+++ b/shared/assets/catppuccin_page_curl.png
--- a/shared/assets/downtown.gif
+++ b/shared/assets/downtown.gif
--- a/shared/assets/ekg_v2.png
+++ b/shared/assets/ekg_v2.png
--- a/shared/assets/face.png
+++ b/shared/assets/face.png
--- a/shared/assets/nixos_waves.png
+++ b/shared/assets/nixos_waves.png
--- a/shared/base/home-manager/default.nix
+++ b/shared/base/home-manager/default.nix
@ -0,0 +1,12 @@
+{ inputs, ... }:
+
+{
+  imports = [
+    inputs.catppuccin.homeModules.catppuccin
+    ./development
+    ./shell
+    ./gpg.nix
+    ./home-manager.nix
+    ./ssh.nix
+  ];
+}
--- a/shared/base/home-manager/development/default.nix
+++ b/shared/base/home-manager/development/default.nix
@ -0,0 +1,6 @@
+{
+  imports = [
+    ./git.nix
+    ./helix.nix
+  ];
+}
--- a/shared/base/home-manager/development/git.nix
+++ b/shared/base/home-manager/development/git.nix
@ -0,0 +1,35 @@
+{ pkgs, common, ... }:
+
+{
+  home.packages = with pkgs; [
+    git-crypt
+    gitmoji-cli
+  ];
+
+  programs.git =
+    let
+      package = pkgs.git.override { withLibsecret = true; };
+    in
+    {
+      enable = true;
+      package = package;
+      userName = "Martin Berg Alstad";
+      userEmail = "git@${common.domain}";
+
+      aliases = {
+        amend = "commit --amend";
+        cm = "commit";
+        s = "status";
+        p = "push";
+      };
+
+      signing.signByDefault = true;
+
+      extraConfig = {
+        pull.rebase = true;
+        push.autoSetupRemote = true;
+        safe.directory = "/etc/nixos";
+        credential.helper = "${package}/bin/git-credential-libsecret";
+      };
+    };
+}
--- a/shared/base/home-manager/development/helix.nix
+++ b/shared/base/home-manager/development/helix.nix
@ -0,0 +1,111 @@
+{
+  pkgs,
+  lib,
+  theme,
+  ...
+}:
+
+{
+  catppuccin.helix = {
+    enable = true;
+    flavor = theme.flavor;
+  };
+
+  programs = {
+    fish.shellAliases.edit = "hx";
+    helix =
+      let
+        prettier = format: {
+          command = lib.getExe pkgs.nodePackages.prettier;
+          args = [
+            "--stdin-filepath"
+            "file.${format}"
+          ];
+        };
+        biome = format: {
+          command = lib.getExe pkgs.biome;
+          args = [
+            "check"
+            "--stdin-file-path=file.${format}"
+            "--write"
+          ];
+        };
+      in
+      {
+        enable = true;
+        defaultEditor = true;
+        extraPackages = with pkgs; [
+          # Markdown
+          marksman
+          markdown-oxide
+          # Html, css, Json, Eslint
+          vscode-langservers-extracted
+          # Yaml
+          ansible-language-server
+          yaml-language-server
+        ];
+        settings = {
+          editor = {
+            auto-save = {
+              after-delay.enable = true;
+              focus-lost = true;
+            };
+            cursor-shape = {
+              normal = "block";
+              insert = "bar";
+              select = "underline";
+            };
+            lsp = {
+              display-inlay-hints = true;
+              display-messages = true;
+            };
+          };
+          keys.normal = {
+            C-f = ":format";
+          };
+        };
+
+        languages.language = [
+          {
+            name = "css";
+            formatter = biome "css";
+            auto-format = true;
+          }
+          {
+            name = "json";
+            language-servers = [
+              "vscode-json-language-server"
+            ];
+            formatter = biome "json";
+            auto-format = true;
+          }
+          {
+            name = "jsonc";
+            language-servers = [
+            ];
+            formatter = biome "jsonc";
+            file-types = [
+              "jsonc"
+            ];
+            auto-format = true;
+          }
+          {
+            name = "markdown";
+            formatter = prettier "md";
+            auto-format = true;
+          }
+          {
+            name = "nix";
+            formatter.command = lib.getExe pkgs.nixfmt-rfc-style;
+            auto-format = true;
+          }
+          {
+            name = "yaml";
+            formatter = prettier "yaml";
+            auto-format = true;
+          }
+        ];
+
+      };
+  };
+}
--- a/shared/base/home-manager/gpg.nix
+++ b/shared/base/home-manager/gpg.nix
@ -0,0 +1,10 @@
+{ pkgs, ... }:
+
+{
+  programs.gpg.enable = true;
+  services.gpg-agent = {
+    enable = true;
+    enableFishIntegration = true;
+    pinentry.package = pkgs.pinentry-curses;
+  };
+}
--- a/shared/base/home-manager/home-manager.nix
+++ b/shared/base/home-manager/home-manager.nix
@ -0,0 +1,16 @@
+{
+  systemConfig,
+  common,
+  ...
+}:
+
+{
+  home = {
+    username = systemConfig.username;
+    homeDirectory = common.dir.home;
+    stateVersion = systemConfig.version;
+  };
+
+  # Let Home Manager install and manage itself.
+  programs.home-manager.enable = true;
+}
--- a/shared/base/home-manager/shell/bat.nix
+++ b/shared/base/home-manager/shell/bat.nix
@ -0,0 +1,13 @@
+{ theme, ... }:
+
+{
+  catppuccin.bat = {
+    enable = true;
+    flavor = theme.flavor;
+  };
+
+  programs = {
+    bat.enable = true;
+    fish.shellAliases.cat = "bat";
+  };
+}
--- a/shared/base/home-manager/shell/btop.nix
+++ b/shared/base/home-manager/shell/btop.nix
@ -0,0 +1,10 @@
+{ theme, ... }:
+
+{
+  catppuccin.btop = {
+    enable = true;
+    flavor = theme.flavor;
+  };
+
+  programs.btop.enable = true;
+}
--- a/shared/base/home-manager/shell/default.nix
+++ b/shared/base/home-manager/shell/default.nix
@ -0,0 +1,11 @@
+{
+  imports = [
+    ./bat.nix
+    ./btop.nix
+    ./eza.nix
+    ./fastfetch.nix
+    ./fish.nix
+    ./fzf.nix
+    ./zoxide.nix
+  ];
+}
--- a/shared/base/home-manager/shell/eza.nix
+++ b/shared/base/home-manager/shell/eza.nix
@ -0,0 +1,12 @@
+{
+  programs = {
+    eza = {
+      enable = true;
+      colors = "always";
+      enableFishIntegration = true;
+      git = true;
+      icons = "always";
+    };
+    fish.shellAliases.ls = "eza";
+  };
+}
--- a/shared/base/home-manager/shell/fastfetch.nix
+++ b/shared/base/home-manager/shell/fastfetch.nix
@ -0,0 +1,63 @@
+{ lib, ... }:
+
+{
+  programs = {
+    fish.shellAliases.fetch = "fastfetch";
+
+    fastfetch = {
+      enable = true;
+      settings = {
+        logo = {
+          source = "${lib.custom.relativeToRoot "shared/assets/Catppuccin.png"}";
+          type = "kitty";
+          height = 18;
+          padding.top = 2;
+        };
+        display.separator = " ";
+        modules =
+          let
+            keyColor = "34";
+            module = type: key: {
+              inherit type key keyColor;
+            };
+            formatModule = type: key: format: {
+              inherit
+                type
+                key
+                format
+                keyColor
+                ;
+            };
+          in
+          [
+            "break"
+            "break"
+            {
+              type = "title";
+              keyWidth = 10;
+            }
+            "break"
+            (module "os" " ")
+            (module "kernel" " ")
+            (formatModule "packages" " " "{} (nixpkgs)")
+            (module "shell" " ")
+            (module "terminal" " ")
+            (module "wm" " ")
+            (module "theme" " ")
+            (module "cursor" " ")
+            (module "terminalfont" " ")
+            (module "uptime" " ")
+            (formatModule "datetime" " " "{1}-{3}-{11}")
+            (module "cpu" " ")
+            (module "gpu" "󰤽 ")
+            (module "sound" " ")
+            (module "lm" " ")
+            "break"
+            "colors"
+            "break"
+            "break"
+          ];
+      };
+    };
+  };
+}
--- a/shared/base/home-manager/shell/fish.nix
+++ b/shared/base/home-manager/shell/fish.nix
@ -0,0 +1,55 @@
+{ pkgs, theme, ... }:
+
+{
+  catppuccin = {
+    fish = {
+      enable = true;
+      flavor = theme.flavor;
+    };
+    starship = {
+      enable = true;
+      flavor = theme.flavor;
+    };
+  };
+
+  programs = {
+    fish = {
+      enable = true;
+      # Start starship when creating a new shell
+      interactiveShellInit = ''
+        starship init fish | source
+        ${pkgs.fortune}/bin/fortune | ${pkgs.cowsay}/bin/cowsay -f tux
+      '';
+      plugins = [
+        {
+          # !! to get the previous command
+          # https://github.com/BrewingWeasel/fishbang
+          name = "fishbang";
+          src = pkgs.fetchFromGitHub {
+            owner = "BrewingWeasel";
+            repo = "fishbang";
+            rev = "50389667eb9ac79edcff9b987c83e1de8ac93921";
+            hash = "sha256-IneNWyfo29C7FDA5b6pTZRX3HpP6y/dRM6GXuLq2+zc=";
+          };
+        }
+      ];
+      shellAliases = {
+        nix-shell = "nix-shell --run fish"; # Start nix-shells using fish
+      };
+    };
+
+    starship = {
+      enable = true;
+      settings = {
+        directory.substitutions = {
+          "Documents" = "󰈙 ";
+          "Downloads" = " ";
+          "Music" = "󰓃 ";
+          "Pictures" = " ";
+          "Git" = " ";
+          "nextcloud" = " ";
+        };
+      };
+    };
+  };
+}
--- a/shared/base/home-manager/shell/fzf.nix
+++ b/shared/base/home-manager/shell/fzf.nix
@ -0,0 +1,13 @@
+{ theme, ... }:
+
+{
+  catppuccin.fzf = {
+    enable = true;
+    flavor = theme.flavor;
+  };
+
+  programs.fzf = {
+    enable = true;
+    enableFishIntegration = true;
+  };
+}
--- a/shared/base/home-manager/shell/zoxide.nix
+++ b/shared/base/home-manager/shell/zoxide.nix
@ -0,0 +1,10 @@
+# cd alternative
+{
+  programs = {
+    fish.shellAliases.cd = "z";
+    zoxide = {
+      enable = true;
+      enableFishIntegration = true;
+    };
+  };
+}
--- a/shared/base/home-manager/ssh.nix
+++ b/shared/base/home-manager/ssh.nix
@ -0,0 +1,32 @@
+# ~/.ssh/config
+{
+  systemConfig,
+  systems,
+  common,
+  ...
+}:
+with builtins;
+
+{
+  programs.ssh = {
+    enable = true;
+    matchBlocks = listToAttrs (
+      map (system: {
+        name = system.hostName;
+        value =
+          let
+            hostName =
+              if (system ? address && system.address ? tailnet) then
+                system.address.tailnet
+              else
+                common.tailnetAddr system.hostName;
+          in
+          {
+            port = 22;
+            user = systemConfig.username;
+            hostname = hostName;
+          };
+      }) systems
+    );
+  };
+}
--- a/shared/base/modules/default.nix
+++ b/shared/base/modules/default.nix
@ -0,0 +1,11 @@
+{
+  imports = [
+    ./development
+    ./networking.nix
+    ./nix-helper.nix
+    ./nixos.nix
+    ./security
+    ./shell.nix
+    ./users.nix
+  ];
+}
--- a/shared/base/modules/development/default.nix
+++ b/shared/base/modules/development/default.nix
@ -0,0 +1,13 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    ./formatters.nix
+    ./nix.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    git
+    just
+  ];
+}
--- a/shared/base/modules/development/formatters.nix
+++ b/shared/base/modules/development/formatters.nix
@ -0,0 +1,10 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    biome # Linter + formatter
+    nixfmt-rfc-style
+    treefmt
+    shfmt
+  ];
+}
--- a/shared/base/modules/development/nix.nix
+++ b/shared/base/modules/development/nix.nix
@ -0,0 +1,8 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    nixd
+    nil
+  ];
+}
--- a/shared/base/modules/networking.nix
+++ b/shared/base/modules/networking.nix
@ -0,0 +1,19 @@
+{ pkgs, systemConfig, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    wget
+  ];
+
+  networking = {
+    networkmanager.enable = true;
+    hostName = systemConfig.hostName;
+  };
+
+  programs.ssh.enableAskPassword = false;
+
+  services = {
+    openssh.enable = true;
+    tailscale.enable = true;
+  };
+}
--- a/shared/base/modules/nix-helper.nix
+++ b/shared/base/modules/nix-helper.nix
@ -0,0 +1,14 @@
+# Nix-Helper: github.com/viperML/nh
+{ common, ... }:
+
+{
+  programs.nh = {
+    enable = true;
+    flake = common.root;
+    clean = {
+      enable = true;
+      dates = "weekly";
+      extraArgs = "--keep-since 30d";
+    };
+  };
+}
--- a/shared/base/modules/nixos.nix
+++ b/shared/base/modules/nixos.nix
@ -0,0 +1,28 @@
+{
+  pkgs,
+  outputs,
+  systemConfig,
+  ...
+}:
+
+{
+  environment.systemPackages = with pkgs; [
+    nix-prefetch-github # Cmd to get rev and hash from GitHub
+  ];
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
+  nixpkgs = {
+    # Allow unfree packages
+    config.allowUnfree = true;
+    overlays = [ outputs.overlays.unstable-packages ];
+  };
+
+  system = {
+    rebuild.enableNg = true;
+    stateVersion = systemConfig.version;
+  };
+}
--- a/shared/base/modules/security/default.nix
+++ b/shared/base/modules/security/default.nix
@ -0,0 +1,9 @@
+{
+  imports = [
+    ./keyring.nix
+    ./sops.nix
+    ./ssh.nix
+  ];
+
+  programs.gnupg.agent.enable = true;
+}
--- a/shared/base/modules/security/keyring.nix
+++ b/shared/base/modules/security/keyring.nix
@ -0,0 +1,3 @@
+{
+  services.gnome.gnome-keyring.enable = true;
+}
--- a/shared/base/modules/security/sops.nix
+++ b/shared/base/modules/security/sops.nix
@ -0,0 +1,20 @@
+{
+  inputs,
+  lib,
+  systemConfig,
+  ...
+}:
+
+{
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    defaultSopsFile = lib.custom.relativeToRoot "shared/secrets/secrets.yaml";
+    defaultSopsFormat = "yaml";
+
+    age.keyFile = "/home/${systemConfig.username}/.config/sops/age/keys.txt";
+    secrets.password-hash.neededForUsers = true;
+  };
+}
--- a/shared/base/modules/security/ssh.nix
+++ b/shared/base/modules/security/ssh.nix
@ -0,0 +1,33 @@
+# /nix/store/<hash>/etc/ssh/ssh_config & /nix/store/<hash>/etc/ssh/authorized_keys
+{
+  systemConfig,
+  systems,
+  knownSystems,
+  common,
+  ...
+}:
+with builtins;
+let
+  allSystems = knownSystems ++ systems;
+in
+{
+  programs.ssh.knownHosts = listToAttrs (
+    map (system: {
+      name = system.hostName;
+      value = {
+        extraHostNames = [
+          (
+            if (system ? address && system.address ? tailnet) then
+              system.address.tailnet
+            else
+              common.tailnetAddr system.hostName
+          )
+        ];
+        publicKey = system.ssh.publicKey;
+      };
+    }) allSystems
+  );
+  users.users.${systemConfig.username}.openssh.authorizedKeys.keys = (
+    map (system: system.ssh.publicKey) allSystems
+  );
+}
--- a/shared/base/modules/shell.nix
+++ b/shared/base/modules/shell.nix
@ -0,0 +1,19 @@
+# For Fish dotfiles, see: /home-manager/fish.nix
+{ pkgs, ... }:
+
+{
+  programs = {
+    bash = {
+      # Starts the OS using Bash, then starts fish if it's not running
+      interactiveShellInit = ''
+        if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
+        then
+          shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
+          exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
+        fi
+      '';
+    };
+
+    fish.enable = true;
+  };
+}
--- a/shared/base/modules/users.nix
+++ b/shared/base/modules/users.nix
@ -0,0 +1,18 @@
+{ config, systemConfig, ... }:
+let
+  username = systemConfig.username;
+in
+{
+  users = {
+    mutableUsers = false;
+    users.${username} = {
+      isNormalUser = true;
+      hashedPasswordFile = config.sops.secrets.password-hash.path;
+      description = username;
+      extraGroups = [
+        "networkmanager"
+        "wheel"
+      ];
+    };
+  };
+}
--- a/shared/common.nix
+++ b/shared/common.nix
@ -0,0 +1,39 @@
+rec {
+  default = {
+    browser = "zen";
+    calculator = "gnome-calculator";
+    fileManager = "nautilus";
+    imageViewer = "imv";
+    lockScreen = "hyprlock";
+    terminal = "kitty";
+  };
+
+  dir = {
+    home = "/home/${username}";
+    pictures = "${dir.home}/Pictures";
+  };
+
+  domain = "martials.no";
+  tailnetDomain = "dns.${domain}";
+  localIpPrefix = "192.168.10.";
+  localIpRange = "${localIpPrefix}0/24";
+  localIpAddr = subAddr: "${localIpPrefix}${builtins.toString subAddr}";
+  tailnetAddr = host: "${host}.${tailnetDomain}";
+
+  keymaps = {
+    layout = "gb,no";
+    options = "grp:alt_shift_toggle"; # Toggle using ALT + SHIFT
+  };
+
+  username = "martin";
+
+  root = ../.;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.version = "25.05";
+}
--- a/shared/desktop/home-manager/cursors.nix
+++ b/shared/desktop/home-manager/cursors.nix
@ -0,0 +1,15 @@
+{ theme, ... }:
+
+{
+  catppuccin.cursors = {
+    enable = true;
+    flavor = theme.flavor;
+    accent = "dark";
+  };
+
+  home.pointerCursor = {
+    gtk.enable = true;
+    x11.enable = true;
+    size = 16;
+  };
+}
--- a/shared/desktop/home-manager/default-applications.nix
+++ b/shared/desktop/home-manager/default-applications.nix
@ -0,0 +1,23 @@
+{
+  xdg.mimeApps = {
+    enable = true;
+    defaultApplications =
+      let
+        browser = "zen.desktop";
+        imageViewer = "imv.desktop";
+        pdfReader = "sioyek.desktop";
+      in
+      {
+        "text/html" = browser;
+        "x-scheme-handler/http" = browser;
+        "x-scheme-handler/https" = browser;
+        "x-scheme-handler/about" = browser;
+        "x-scheme-handler/unknown" = browser;
+        "image/jpg" = imageViewer;
+        "image/jpeg" = imageViewer;
+        "image/png" = imageViewer;
+        "image/gif" = imageViewer;
+        "application/pdf" = pdfReader;
+      };
+  };
+}
--- a/shared/desktop/home-manager/default.nix
+++ b/shared/desktop/home-manager/default.nix
@ -0,0 +1,31 @@
+{
+  lib,
+  common,
+  ...
+}:
+let
+  dir = common.dir;
+in
+{
+  imports = [
+    (lib.custom.relativeToBase "home-manager")
+    ./development
+    ./hyprland
+    ./media
+    ./rofi
+    ./shell
+    ./zen
+    ./cursors.nix
+    ./default-applications.nix
+    ./freetube.nix
+    ./gtk.nix
+    ./kitty.nix
+    ./nextcloud.nix
+    ./sioyek.nix
+    ./spicetify.nix
+  ];
+
+  home.sessionVariables = {
+    XDG_PICTURES_DIR = dir.pictures; # Define the default dir for pictures
+  };
+}
--- a/shared/desktop/home-manager/development/default.nix
+++ b/shared/desktop/home-manager/development/default.nix
@ -0,0 +1,7 @@
+{
+  imports = [
+    ./zed.nix
+  ];
+  # TODO set Wayland vmOptions in Jetbrains products, Requires current installed version in path
+  # -Dawt.toolkit.name=WLToolKit
+}
--- a/shared/desktop/home-manager/development/zed.nix
+++ b/shared/desktop/home-manager/development/zed.nix
@ -0,0 +1,56 @@
+{ pkgs, theme, ... }:
+
+{
+  programs.zed-editor = {
+    enable = true;
+    package = pkgs.unstable.zed-editor;
+    extensions = [
+      "html"
+      "catppuccin"
+      "catppuccin-icons"
+      "toml"
+      "nix"
+      "git-firefly"
+      "just"
+      "biome"
+    ];
+    userSettings =
+      let
+        font = "${theme.nerdFont} Nerd Font";
+        fontSize = 14;
+      in
+      {
+        agent = {
+          default_model = {
+            provider = "ollama";
+            model = "deepseek-r1:8b";
+          };
+        };
+        autosave = "on_focus_change";
+        auto_update = false;
+        base_keymap = "JetBrains";
+        buffer_font_family = font;
+        features = {
+          edit_prediction_provider = "zed";
+        };
+        icon_theme = {
+          mode = theme.mode;
+          light = "Catppuccin Latte";
+          dark = "Catppuccin Mocha";
+        };
+        ui_font_family = font;
+        ui_font_size = fontSize;
+        buffer_font_size = fontSize;
+        tabs = {
+          file_icons = true;
+          git_status = true;
+        };
+        theme = {
+          mode = theme.mode;
+          light = "Catppuccin Latte";
+          dark = "Catppuccin Mocha";
+        };
+        lsp.nil.initialization_options.formatting.command = [ "nixfmt" ];
+      };
+  };
+}
--- a/shared/desktop/home-manager/freetube.nix
+++ b/shared/desktop/home-manager/freetube.nix
@ -0,0 +1,53 @@
+{ pkgs, ... }:
+
+{
+  catppuccin.freetube.enable = true;
+
+  programs.freetube = {
+    enable = true;
+    package = pkgs.unstable.freetube;
+    settings = {
+      allowDashAv1Formats = true;
+      checkForUpdates = false;
+      currentLocale = "en-GB";
+      defaultTheatreMode = true;
+      defaultQuality = "1080";
+      displayVideoPlayButton = false;
+      region = "NO";
+      useSponsorBlock = true;
+
+      sponsorBlockSponsor = {
+        color = "CatppuccinMochaGreen";
+        skip = "autoSkip";
+      };
+      sponsorBlockSelfPromo = {
+        color = "CatppuccinMochaYellow";
+        skip = "showInSeekBar";
+      };
+      sponsorBlockInteraction = {
+        color = "CatppuccinMochaPink";
+        skip = "showInSeekBar";
+      };
+      sponsorBlockIntro = {
+        color = "CatppuccinMochaSapphire";
+        skip = "doNothing";
+      };
+      sponsorBlockOutro = {
+        color = "CatppuccinMochaBlue";
+        skip = "doNothing";
+      };
+      sponsorBlockRecap = {
+        color = "CatppuccinMochaMauve";
+        skip = "doNothing";
+      };
+      sponsorBlockMusicOffTopic = {
+        color = "CatppuccinMochaFlamingo";
+        skip = "doNothing";
+      };
+      sponsorBlockFiller = {
+        color = "CatppuccinMochaMauve";
+        skip = "doNothing";
+      };
+    };
+  };
+}
--- a/shared/desktop/home-manager/gtk.nix
+++ b/shared/desktop/home-manager/gtk.nix
@ -0,0 +1,13 @@
+{ ... }:
+
+{
+  dconf = {
+    enable = true;
+    settings = {
+      # Prefer dark mode for all GTK apps
+      "org/gnome/desktop/interface".color-scheme = "prefer-dark";
+    };
+  };
+
+  gtk.enable = true;
+}
--- a/shared/desktop/home-manager/hyprland/binds.nix
+++ b/shared/desktop/home-manager/hyprland/binds.nix
@ -0,0 +1,102 @@
+{ common, ... }:
+let
+  app = common.default;
+in
+{
+  wayland.windowManager.hyprland.settings = {
+    "$mainMod" = "SUPER";
+    "$shiftMod" = "$mainMod SHIFT";
+    "$ctrlMod" = "$mainMod CTRL";
+    "$menu" = "rofi -show drun";
+
+    bind = [
+      "$mainMod,  Q, exec, ${app.terminal}"
+      "$mainMod,  C, killactive,"
+      "$shiftMod, M, exit,"
+      "$mainMod,  E, exec, ${app.fileManager}"
+      "$mainMod,  V, togglefloating,"
+      "$mainMod,  R, exec, $menu"
+      "$mainMod,  P, pseudo," # dwindle
+      "$mainMod,  J, togglesplit," # dwindle
+      "$mainMod,  B, exec, ${app.browser}"
+      "$mainMod,  L, exec, ${app.lockScreen}"
+      "$mainMod,  K, exec, [float] ${app.calculator}"
+      "$mainMod,  ESCAPE, exec, hyprpanel t dashboardmenu"
+
+      # Move focus with mainMod + arrow keys
+      "$mainMod, left, movefocus, l"
+      "$mainMod, right, movefocus, r"
+      "$mainMod, up, movefocus, u"
+      "$mainMod, down, movefocus, d"
+
+      # Move window with ctrl + mainMod + arrow keys
+      "$ctrlMod, left, movewindow, l"
+      "$ctrlMod, right, movewindow, r"
+      "$ctrlMod, up, movewindow, u"
+      "$ctrlMod, down, movewindow, d"
+
+      # Switch workspaces with mainMod + [0-9]
+      "$mainMod, 1, workspace, 1"
+      "$mainMod, 2, workspace, 2"
+      "$mainMod, 3, workspace, 3"
+      "$mainMod, 4, workspace, 4"
+      "$mainMod, 5, workspace, 5"
+      "$mainMod, 6, workspace, 6"
+      "$mainMod, 7, workspace, 7"
+      "$mainMod, 8, workspace, 8"
+      "$mainMod, 9, workspace, 9"
+      "$mainMod, 0, workspace, 10"
+
+      # Move active window to a workspace with mainMod + SHIFT + [0-9]
+      "$shiftMod, 1, movetoworkspace, 1"
+      "$shiftMod, 2, movetoworkspace, 2"
+      "$shiftMod, 3, movetoworkspace, 3"
+      "$shiftMod, 4, movetoworkspace, 4"
+      "$shiftMod, 5, movetoworkspace, 5"
+      "$shiftMod, 6, movetoworkspace, 6"
+      "$shiftMod, 7, movetoworkspace, 7"
+      "$shiftMod, 8, movetoworkspace, 8"
+      "$shiftMod, 9, movetoworkspace, 9"
+      "$shiftMod, 0, movetoworkspace, 10"
+
+      # Example special workspace (scratchpad)
+      "$mainMod, S, togglespecialworkspace, magic"
+      "$shiftMod, S, movetoworkspace, special:magic"
+
+      # Scroll through existing workspaces with mainMod + scroll
+      "$mainMod, mouse_down, workspace, e+1"
+      "$mainMod, mouse_up, workspace, e-1"
+    ];
+
+    binde = [
+      # Resize the focused window
+      "$shiftMod, right, resizeactive, 20 0"
+      "$shiftMod, left, resizeactive, -20 0"
+      "$shiftMod, up, resizeactive, 0 -20"
+      "$shiftMod, down, resizeactive, 0 20"
+    ];
+
+    bindm = [
+      # Move/resize windows with mainMod + LMB/RMB and dragging
+      "$mainMod, mouse:272, movewindow"
+      "$mainMod, mouse:273, resizewindow"
+    ];
+
+    bindl = [
+      ", XF86AudioNext, exec, playerctl next"
+      ", XF86AudioPause, exec, playerctl play-pause"
+      ", XF86AudioPlay, exec, playerctl play-pause"
+      ", XF86AudioPrev, exec, playerctl previous"
+    ];
+
+    bindel = [
+      # Laptop multimedia keys for volume and LCD brightness
+      ",XF86AudioRaiseVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+"
+      ",XF86AudioLowerVolume, exec, wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-"
+      ",XF86AudioMute, exec, wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"
+      ",XF86AudioMicMute, exec, wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"
+      ",XF86MonBrightnessUp, exec, brightnessctl s 10%+"
+      ",XF86MonBrightnessDown, exec, brightnessctl s 10%-"
+    ];
+  };
+}
--- a/Show More
+++ b/Show More
				`@ -0,0 +1 @@`
				`shared/secrets/weather-api-key filter=git-crypt diff=git-crypt`
				`@ -1 +0,0 @@`
				`/nix/store/1q8w6gl1ll0mwfkqc3c2yx005s6wwfrl-hello-2.12.1`