🔧 [pi4] Temporary disable Actual budget

Added Bluetooth support to desktop, including PS3 controllers

.gitattributes

@@ -1 +1 @@
-shared/secrets/* filter=git-crypt diff=git-crypt
+shared/secrets/weather-api-key filter=git-crypt diff=git-crypt

.prettierrc.toml

@@ -1 +0,0 @@
-trailingComma = "none"

.sops.yaml

@@ -0,0 +1,11 @@
+keys:
+  - &thinkpad age1j66v6z6hlsgqjfv5fz7fldm5q9jay4j5v5du6ymfda6hv40nsqesg89g7p
+  - &desktop age1fxr5s6d6ar0xy5pr63kpq93tk7jha5k96jcxnyquj6s2mw8mmcpss8w29w
+  - &pi4 age1xlnprpvshv93eerthxzg6cahklsfc4efh8dd6u8dte9u6cl0u5qsz48qlt
+creation_rules:
+  - path_regex: shared/secrets/secrets.yaml$
+    key_groups:
+      - age:
+          - *thinkpad
+          - *desktop
+          - *pi4

README.md

@@ -17,8 +17,6 @@ My NixOS configurations with dotfiles for my systems.
 | Runner | Rofi       |
 | Fetch  | Fastfetch  |
 
-Requires Nix-channel with [NixOS 24.11](https://nixos.org/)
-
 ## Commands
 
 First time run, will create a shell with the minimum dependencies in order to download the rest

biome.jsonc

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://biomejs.dev/schemas/2.0.5/schema.json",
+
+  "formatter": {
+    "enabled": true,
+    "indentStyle": "space"
+  },
+
+  "linter": {
+    "enabled": false
+  }
+}

flake.lock

@@ -1,47 +1,19 @@
 {
   "nodes": {
-    "ags": {
-      "inputs": {
-        "astal": "astal",
-        "nixpkgs": [
-          "hyprpanel",
-          "nixpkgs"
-        ]
-      },
+    "blobs": {
+      "flake": false,
       "locked": {
-        "lastModified": 1736090999,
-        "narHash": "sha256-B5CJuHqfJrzPa7tObK0H9669/EClSHpa/P7B9EuvElU=",
-        "owner": "aylur",
-        "repo": "ags",
-        "rev": "5527c3c07d92c11e04e7fd99d58429493dba7e3c",
-        "type": "github"
+        "lastModified": 1604995301,
+        "narHash": "sha256-wcLzgLec6SGJA8fx1OEN1yV/Py5b+U5iyYpksUY/yLw=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "rev": "2cccdf1ca48316f2cfd1c9a0017e8de5a7156265",
+        "type": "gitlab"
       },
       "original": {
-        "owner": "aylur",
-        "repo": "ags",
-        "type": "github"
-      }
-    },
-    "astal": {
-      "inputs": {
-        "nixpkgs": [
-          "hyprpanel",
-          "ags",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1735172721,
-        "narHash": "sha256-rtEAwGsHSppnkR3Qg3eRJ6Xh/F84IY9CrBBLzYabalY=",
-        "owner": "aylur",
-        "repo": "astal",
-        "rev": "6c84b64efc736e039a8a10774a4a1bf772c37aa2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "aylur",
-        "repo": "astal",
-        "type": "github"
+        "owner": "simple-nixos-mailserver",
+        "repo": "blobs",
+        "type": "gitlab"
       }
     },
     "catppuccin": {
@@ -49,11 +21,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1744447794,
-        "narHash": "sha256-z5uK5BDmFg0L/0EW2XYLGr39FbQeXyNVnIEhkZrG8+Q=",
+        "lastModified": 1754727511,
+        "narHash": "sha256-iRqRCeeXEQ5HSB6zI6Wja7ZfY0PPRx5yelgjtoX2iMo=",
         "owner": "catppuccin",
         "repo": "nix",
-        "rev": "c44fe73ed8e5d5809eded7cc6156ca9c40044e42",
+        "rev": "7b55c4947c02f79dfd249432ccb0ada2726c29e2",
         "type": "github"
       },
       "original": {
@@ -62,89 +34,31 @@
         "type": "github"
       }
     },
-    "devshell": {
-      "inputs": {
-        "nixpkgs": [
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1741473158,
-        "narHash": "sha256-kWNaq6wQUbUMlPgw8Y+9/9wP0F8SHkjy24/mN3UAppg=",
-        "owner": "numtide",
-        "repo": "devshell",
-        "rev": "7c9e793ebe66bcba8292989a68c0419b737a22a0",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "devshell",
-        "type": "github"
-      }
-    },
     "flake-compat": {
+      "flake": false,
       "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
-        "revCount": 69,
-        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/edolstra/flake-compat/1.1.0/01948eb7-9cba-704f-bbf3-3fa956735b52/source.tar.gz"
-      },
-      "original": {
-        "type": "tarball",
-        "url": "https://flakehub.com/f/edolstra/flake-compat/1.tar.gz"
-      }
-    },
-    "flake-parts": {
-      "inputs": {
-        "nixpkgs-lib": [
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1743550720,
-        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "lastModified": 1747046372,
+        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
         "type": "github"
       },
       "original": {
-        "owner": "hercules-ci",
-        "repo": "flake-parts",
-        "type": "github"
-      }
-    },
-    "flake-utils": {
-      "inputs": {
-        "systems": "systems"
-      },
-      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
+        "owner": "edolstra",
+        "repo": "flake-compat",
         "type": "github"
       }
     },
     "git-hooks": {
       "inputs": {
         "flake-compat": [
-          "nixvim",
+          "simple-nixos-mailserver",
           "flake-compat"
         ],
         "gitignore": "gitignore",
         "nixpkgs": [
-          "nixvim",
+          "simple-nixos-mailserver",
           "nixpkgs"
         ]
       },
@@ -165,7 +79,7 @@
     "gitignore": {
       "inputs": {
         "nixpkgs": [
-          "nixvim",
+          "simple-nixos-mailserver",
           "git-hooks",
           "nixpkgs"
         ]
@@ -184,24 +98,6 @@
         "type": "github"
       }
     },
-    "grayjay": {
-      "inputs": {
-        "nixpkgs": "nixpkgs_2"
-      },
-      "locked": {
-        "lastModified": 1744375210,
-        "narHash": "sha256-aMnp0e+oGmsZ+VC6mgrE6lUcKMjBPotLesCosejRhdw=",
-        "owner": "rishabh5321",
-        "repo": "grayjay-flake",
-        "rev": "ab754473aecde1afad07ab5a5903c9336bcb5442",
-        "type": "github"
-      },
-      "original": {
-        "owner": "rishabh5321",
-        "repo": "grayjay-flake",
-        "type": "github"
-      }
-    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -209,43 +105,21 @@
         ]
       },
       "locked": {
-        "lastModified": 1744117652,
-        "narHash": "sha256-t7dFCDl4vIOOUMhEZnJF15aAzkpaup9x4ZRGToDFYWI=",
+        "lastModified": 1753592768,
+        "narHash": "sha256-oV695RvbAE4+R9pcsT9shmp6zE/+IZe6evHWX63f2Qg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "b4e98224ad1336751a2ac7493967a4c9f6d9cb3f",
+        "rev": "fc3add429f21450359369af74c2375cb34a2d204",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-24.11",
+        "ref": "release-25.05",
         "repo": "home-manager",
         "type": "github"
       }
     },
     "home-manager_2": {
-      "inputs": {
-        "nixpkgs": [
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1743808813,
-        "narHash": "sha256-2lDQBOmlz9ggPxcS7/GvcVdzXMIiT+PpMao6FbLJSr0=",
-        "owner": "nix-community",
-        "repo": "home-manager",
-        "rev": "a9f8b3db211b4609ddd83683f9db89796c7f6ac6",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "ref": "release-24.11",
-        "repo": "home-manager",
-        "type": "github"
-      }
-    },
-    "home-manager_3": {
       "inputs": {
         "nixpkgs": [
           "zen-browser",
@@ -253,11 +127,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1743604125,
-        "narHash": "sha256-ZD61DNbsBt1mQbinAaaEqKaJk2RFo9R/j+eYWeGMx7A=",
+        "lastModified": 1752603129,
+        "narHash": "sha256-S+wmHhwNQ5Ru689L2Gu8n1OD6s9eU9n9mD827JNR+kw=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "180fd43eea296e62ae68e079fcf56aba268b9a1a",
+        "rev": "e8c19a3cec2814c754f031ab3ae7316b64da085b",
         "type": "github"
       },
       "original": {
@@ -266,82 +140,13 @@
         "type": "github"
       }
     },
-    "hyprpanel": {
-      "inputs": {
-        "ags": "ags",
-        "nixpkgs": "nixpkgs_3"
-      },
-      "locked": {
-        "lastModified": 1744259355,
-        "narHash": "sha256-gykRJw309t5NLuYXzWw9WhJFKTc4OASmc16M9jD/Vpw=",
-        "owner": "Jas-SinghFSU",
-        "repo": "HyprPanel",
-        "rev": "1d4d2dcc20ebd707d5e45c7e357acc1267a498d7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "Jas-SinghFSU",
-        "repo": "HyprPanel",
-        "type": "github"
-      }
-    },
-    "ixx": {
-      "inputs": {
-        "flake-utils": [
-          "nixvim",
-          "nuschtosSearch",
-          "flake-utils"
-        ],
-        "nixpkgs": [
-          "nixvim",
-          "nuschtosSearch",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1729958008,
-        "narHash": "sha256-EiOq8jF4Z/zQe0QYVc3+qSKxRK//CFHMB84aYrYGwEs=",
-        "owner": "NuschtOS",
-        "repo": "ixx",
-        "rev": "9fd01aad037f345350eab2cd45e1946cc66da4eb",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NuschtOS",
-        "ref": "v0.0.6",
-        "repo": "ixx",
-        "type": "github"
-      }
-    },
-    "nix-darwin": {
-      "inputs": {
-        "nixpkgs": [
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1743127615,
-        "narHash": "sha256-+sMGqywrSr50BGMLMeY789mSrzjkoxZiu61eWjYS/8o=",
-        "owner": "lnl7",
-        "repo": "nix-darwin",
-        "rev": "fc843893cecc1838a59713ee3e50e9e7edc6207c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "lnl7",
-        "ref": "nix-darwin-24.11",
-        "repo": "nix-darwin",
-        "type": "github"
-      }
-    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1744098102,
-        "narHash": "sha256-tzCdyIJj9AjysC3OuKA+tMD/kDEDAF9mICPDU7ix0JA=",
+        "lastModified": 1753694789,
+        "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "c8cd81426f45942bb2906d5ed2fe21d2f19d95b7",
+        "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727",
         "type": "github"
       },
       "original": {
@@ -351,29 +156,45 @@
         "type": "github"
       }
     },
-    "nixpkgs-stable": {
+    "nixpkgs-25_05": {
       "locked": {
-        "lastModified": 1744309437,
-        "narHash": "sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5+W0=",
+        "lastModified": 1747610100,
+        "narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f9ebe33a928b5d529c895202263a5ce46bdf12f7",
+        "rev": "ca49c4304acf0973078db0a9d200fd2bae75676d",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-24.11",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1754689972,
+        "narHash": "sha256-eogqv6FqZXHgqrbZzHnq43GalnRbLTkbBbFtEfm1RSc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fc756aa6f5d3e2e5666efcf865d190701fef150a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1744232761,
-        "narHash": "sha256-gbl9hE39nQRpZaLjhWKmEu5ejtQsgI5TWYrIVVJn30U=",
+        "lastModified": 1754498491,
+        "narHash": "sha256-erbiH2agUTD0Z30xcVSFcDHzkRvkRXOQ3lb887bcVrs=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f675531bc7e6657c10a18b565cfebd8aa9e24c14",
+        "rev": "c2ae88e026f9525daf89587f3cbee584b92b6134",
         "type": "github"
       },
       "original": {
@@ -385,31 +206,31 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1744232761,
-        "narHash": "sha256-gbl9hE39nQRpZaLjhWKmEu5ejtQsgI5TWYrIVVJn30U=",
+        "lastModified": 1754689972,
+        "narHash": "sha256-eogqv6FqZXHgqrbZzHnq43GalnRbLTkbBbFtEfm1RSc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f675531bc7e6657c10a18b565cfebd8aa9e24c14",
+        "rev": "fc756aa6f5d3e2e5666efcf865d190701fef150a",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixos-25.05",
         "repo": "nixpkgs",
         "type": "github"
       }
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1736344531,
-        "narHash": "sha256-8YVQ9ZbSfuUk2bUf2KRj60NRraLPKPS0Q4QFTbc+c2c=",
-        "owner": "nixos",
+        "lastModified": 1747179050,
+        "narHash": "sha256-qhFMmDkeJX9KJwr5H32f1r7Prs7XbQWtO0h3V0a0rFY=",
+        "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "bffc22eb12172e6db3c5dde9e3e5628f8e3e7912",
+        "rev": "adaa24fbf46737f3f1b5497bf64bae750f82942e",
         "type": "github"
       },
       "original": {
-        "owner": "nixos",
+        "owner": "NixOS",
         "ref": "nixos-unstable",
         "repo": "nixpkgs",
         "type": "github"
@@ -417,27 +238,11 @@
     },
     "nixpkgs_4": {
       "locked": {
-        "lastModified": 1744309437,
-        "narHash": "sha256-QZnNHM823am8apCqKSPdtnzPGTy2ZB4zIXOVoBp5+W0=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "f9ebe33a928b5d529c895202263a5ce46bdf12f7",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-24.11",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_5": {
-      "locked": {
-        "lastModified": 1743448293,
-        "narHash": "sha256-bmEPmSjJakAp/JojZRrUvNcDX2R5/nuX6bm+seVaGhs=",
+        "lastModified": 1752480373,
+        "narHash": "sha256-JHQbm+OcGp32wAsXTE/FLYGNpb+4GLi5oTvCxwSoBOA=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "77b584d61ff80b4cef9245829a6f1dfad5afdfa3",
+        "rev": "62e0f05ede1da0d54515d4ea8ce9c733f12d9f08",
         "type": "github"
       },
       "original": {
@@ -447,73 +252,42 @@
         "type": "github"
       }
     },
-    "nixvim": {
-      "inputs": {
-        "devshell": "devshell",
-        "flake-compat": "flake-compat",
-        "flake-parts": "flake-parts",
-        "git-hooks": "git-hooks",
-        "home-manager": "home-manager_2",
-        "nix-darwin": "nix-darwin",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nuschtosSearch": "nuschtosSearch",
-        "treefmt-nix": "treefmt-nix"
-      },
-      "locked": {
-        "lastModified": 1743856924,
-        "narHash": "sha256-CgCbUGd9y639PfcuzA0TrA6O5N1ICl+mB95+qTG52+E=",
-        "owner": "nix-community",
-        "repo": "nixvim",
-        "rev": "d209a04d349febe85c777078ca2eeea5e8bbc8a1",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-community",
-        "ref": "nixos-24.11",
-        "repo": "nixvim",
-        "type": "github"
-      }
-    },
-    "nuschtosSearch": {
-      "inputs": {
-        "flake-utils": "flake-utils",
-        "ixx": "ixx",
-        "nixpkgs": [
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1743683223,
-        "narHash": "sha256-LdXtHFvhEC3S64dphap1pkkzwjErbW65eH1VRerCUT0=",
-        "owner": "NuschtOS",
-        "repo": "search",
-        "rev": "56a49ffef2908dad1e9a8adef1f18802bc760962",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NuschtOS",
-        "repo": "search",
-        "type": "github"
-      }
-    },
     "root": {
       "inputs": {
         "catppuccin": "catppuccin",
-        "grayjay": "grayjay",
         "home-manager": "home-manager",
-        "hyprpanel": "hyprpanel",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_2",
         "nixpkgs-stable": "nixpkgs-stable",
         "nixpkgs-unstable": "nixpkgs-unstable",
-        "nixvim": "nixvim",
+        "simple-nixos-mailserver": "simple-nixos-mailserver",
         "sops-nix": "sops-nix",
         "spicetify-nix": "spicetify-nix",
         "zen-browser": "zen-browser"
       }
     },
+    "simple-nixos-mailserver": {
+      "inputs": {
+        "blobs": "blobs",
+        "flake-compat": "flake-compat",
+        "git-hooks": "git-hooks",
+        "nixpkgs": "nixpkgs_3",
+        "nixpkgs-25_05": "nixpkgs-25_05"
+      },
+      "locked": {
+        "lastModified": 1747965231,
+        "narHash": "sha256-BW3ktviEhfCN/z3+kEyzpDKAI8qFTwO7+S0NVA0C90o=",
+        "owner": "simple-nixos-mailserver",
+        "repo": "nixos-mailserver",
+        "rev": "53007af63fade28853408370c4c600a63dd97f41",
+        "type": "gitlab"
+      },
+      "original": {
+        "owner": "simple-nixos-mailserver",
+        "ref": "nixos-25.05",
+        "repo": "nixos-mailserver",
+        "type": "gitlab"
+      }
+    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
@@ -521,11 +295,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1744103455,
-        "narHash": "sha256-SR6+qjkPjGQG+8eM4dCcVtss8r9bre/LAxFMPJpaZeU=",
+        "lastModified": 1754328224,
+        "narHash": "sha256-glPK8DF329/dXtosV7YSzRlF4n35WDjaVwdOMEoEXHA=",
         "owner": "mic92",
         "repo": "sops-nix",
-        "rev": "69d5a5a4635c27dae5a742f36108beccc506c1ba",
+        "rev": "49021900e69812ba7ddb9e40f9170218a7eca9f4",
         "type": "github"
       },
       "original": {
@@ -539,14 +313,14 @@
         "nixpkgs": [
           "nixpkgs-unstable"
         ],
-        "systems": "systems_2"
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1744423915,
-        "narHash": "sha256-6Hd8VyrOlmjlDBgPpx9NwX4+/uO4gEDIyjqbQLyniwE=",
+        "lastModified": 1754196919,
+        "narHash": "sha256-0zATw65mNql9H8e7HWVBPpijMSbDVeK7JNivRBcUScM=",
         "owner": "Gerg-L",
         "repo": "spicetify-nix",
-        "rev": "4c4b9611c71d586ea818fa5b8dcbd81129f62560",
+        "rev": "24fcb94f7792ab755b933e1c9516996530ac1fbd",
         "type": "github"
       },
       "original": {
@@ -570,53 +344,17 @@
         "type": "github"
       }
     },
-    "systems_2": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
-    "treefmt-nix": {
-      "inputs": {
-        "nixpkgs": [
-          "nixvim",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1743748085,
-        "narHash": "sha256-uhjnlaVTWo5iD3LXics1rp9gaKgDRQj6660+gbUU3cE=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "815e4121d6a5d504c0f96e5be2dd7f871e4fd99d",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
     "zen-browser": {
       "inputs": {
-        "home-manager": "home-manager_3",
-        "nixpkgs": "nixpkgs_5"
+        "home-manager": "home-manager_2",
+        "nixpkgs": "nixpkgs_4"
       },
       "locked": {
-        "lastModified": 1744406237,
-        "narHash": "sha256-Xbt5m3/ZNeye4b42rCZOLbD8OhCOeJfUSEJ+FvfXwpg=",
+        "lastModified": 1754713785,
+        "narHash": "sha256-/XEjh0nXEzHX5H84AAEP1vJopIGf0Z4sbfqKklwQaHk=",
         "owner": "0xc000022070",
         "repo": "zen-browser-flake",
-        "rev": "4d9ee0daab52a7a205e69cfddcd441ffaa09c802",
+        "rev": "7564df093b5d6aac0be47a0cd6336e5a36ece598",
         "type": "github"
       },
       "original": {

flake.nix

@@ -5,17 +5,17 @@
     #
     # ========= Official NixOS and HM Package Sources =========
     #
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
     # The next two are for pinning to stable vs unstable regardless of what the above is set to
     # This is particularly useful when an upcoming stable release is in beta because you can effectively
     # keep 'nixpkgs-stable' set to stable for critical packages while setting 'nixpkgs' to the beta branch to
     # get a jump start on deprecation changes.
     # See also 'stable-packages' and 'unstable-packages' overlays at 'overlays/default.nix"
-    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-24.11";
+    nixpkgs-stable.url = "github:NixOS/nixpkgs/nixos-25.05";
     nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
 
     home-manager = {
-      url = "github:nix-community/home-manager/release-24.11";
+      url = "github:nix-community/home-manager/release-25.05";
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
@@ -28,16 +28,8 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     # Catppuccin theming
-    catppuccin = {
-      url = "github:catppuccin/nix";
-    };
-    # vim
-    nixvim = {
-      url = "github:nix-community/nixvim/nixos-24.11";
-      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    # Bar
-    hyprpanel.url = "github:Jas-SinghFSU/HyprPanel";
+    catppuccin.url = "github:catppuccin/nix";
+    simple-nixos-mailserver.url = "gitlab:simple-nixos-mailserver/nixos-mailserver/nixos-25.05";
     # Spotify
     spicetify-nix = {
       url = "github:Gerg-L/spicetify-nix";
@@ -45,8 +37,6 @@
     };
     # Browser
     zen-browser.url = "github:0xc000022070/zen-browser-flake";
-    # Video aggregator
-    grayjay.url = "github:rishabh5321/grayjay-flake";
   };
 
   outputs =
@@ -76,21 +66,52 @@
       lib = nixpkgs.lib.extend customLib;
       libHm = home-manager.lib.extend customLib;
 
-      systems = [
+      systems = builtins.map (config: defaultAttrs // config) [
         {
           hostName = "desktop";
-          system = "x86_64-linux";
+          nvidia.enable = true;
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMSzXyTuQyTrWsfORQbvgrqt/33+hfSUDXeMg6D1T2wz";
         }
         {
           hostName = "thinkpad";
-          system = "x86_64-linux";
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILNlHKE/BD8kKfhJD7GBk1A3whZf3gTjk9VEgGAj3qsH";
         }
         {
           hostName = "pi4";
           system = "aarch64-linux";
-          enableWayland = false;
+          wayland.enable = false;
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJE9m7YiITe1sDqSZ7Pa8luIw3WToLsypixZEqE4wCQE";
+          address.private = common.localIpAddr 188;
+        }
+        {
+          hostName = "homelab";
+          wayland.enable = false;
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIARDv5nRlfPDXdV+Db4FaqeSJZ3/3MO0frYGzuVeqYAl";
+          address.private = common.localIpAddr 231;
+          address.tailnet = common.tailnetAddr "admin";
+        }
+      ];
+
+      defaultAttrs = {
+        hostName = builtins.abort "hostName is required";
+        system = "x86_64-linux";
+        username = common.username;
+        version = common.system.version;
+        wayland.enable = true;
+        nvidia.enable = false;
+      };
+
+      knownSystems = [
+        {
+          # Samsung S23 FE
+          hostName = "localhost-y4maoyqm";
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII7SSjiqnjif1Kko60iXVTKJ7a1/lRlR8TFNtoclNcnQ";
+        }
+        {
+          # OnePlus 8
+          hostName = "localhost-4izgka9k";
+          ssh.publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALtulVgLrUEpKnpfPFQTHjaEXTxs2Q818NC18eLx0bj";
         }
-        # TODO Homelab config
       ];
 
     in
@@ -109,13 +130,9 @@
           {
             hostName,
             system,
-            user ? {
-              name = common.username;
-              password = "temp";
-            },
-            version ? common.version,
-            enableWayland ? true,
-          }:
+            username,
+            ...
+          }@systemConfig:
 
           {
             name = hostName;
@@ -128,9 +145,9 @@
                   common
                   theme
                   lib
-                  hostName
-                  version
-                  enableWayland
+                  systemConfig
+                  systems
+                  knownSystems
                   ;
                 isDarwin = false;
               };
@@ -149,18 +166,15 @@
                         common
                         theme
                         libHm
-                        hostName
-                        version
-                        enableWayland
+                        systemConfig
+                        systems
                         ;
                     };
-                    users.${user.name} = import ./hosts/${hostName}/home-manager;
+                    users.${username} = import ./hosts/${hostName}/home-manager;
                   };
                 }
                 {
-                  nixpkgs.overlays = with inputs; [
-                    hyprpanel.overlay
-                  ];
+                  nixpkgs.overlays = [ ];
                 }
               ];
             };

hosts/desktop/bluetooth.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+
+{
+  hardware.bluetooth = {
+    enable = true;
+    input = {
+      # Required to get PS3 controllers working
+      General = {
+        ClassicBondedOnly = false;
+        UserspaceHID = false;
+      };
+    };
+    powerOnBoot = true;
+    package = pkgs.unstable.bluez;
+  };
+
+  services.blueman.enable = true;
+}

hosts/desktop/common.nix

@@ -0,0 +1,4 @@
+{
+  monitor1 = "DP-1";
+  monitor2 = "DP-3";
+}

hosts/desktop/default.nix

@@ -1,70 +1,15 @@
 {
+  lib,
   pkgs,
-  inputs,
-  outputs,
-  common,
   ...
 }:
 
 {
-  imports = [ ./modules ];
-
-  nixpkgs.overlays = [ outputs.overlays.unstable-packages ];
-
-  # Bootloader.
-  boot.loader = {
-    systemd-boot.enable = true;
-    efi.canTouchEfiVariables = true;
-  };
-
-  # Define a user account. Don't forget to set a password with 'passwd'.
-  users.users.${common.username} = {
-    isNormalUser = true;
-    description = common.username;
-    extraGroups = [
-      "networkmanager"
-      "wheel"
-    ];
-  };
-
-  # Allow unfree packages
-  nixpkgs.config.allowUnfree = true;
-
-  environment.sessionVariables = {
-    # Tells Electron apps to use Wayland
-    NIXOS_OZONE_WL = "1";
-  };
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-    wget
-    xdg-utils
-    xdg-desktop-portal
-    xdg-desktop-portal-gtk
-    unstable.protonmail-desktop
-    stremio
-    fastfetch
-    discord
-    nix-prefetch-github # Cmd to get rev and hash from GitHub
-    gimp
-    vlc
-    vdhcoapp # TODO run "vdhcoapp install" on startup
-    onlyoffice-desktopeditors
-    inputs.grayjay.packages.${system}.grayjay
+  imports = [
+    (lib.custom.relativeToDesktop "modules")
+    ./bluetooth.nix
+    ./hardware-configuration.nix
   ];
 
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-  ];
-
-  programs.kdeconnect.enable = true;
-
-  services = {
-    flatpak.enable = false;
-    xserver.enable = true;
-  };
-
-  system.stateVersion = common.system.version;
+  boot.kernelPackages = pkgs.linuxPackages_6_12;
 }

hosts/desktop/hardware-configuration.nix

@@ -1,10 +1,6 @@
-# Do not modify this file!  It was generated by ‘nixos-generate-config’
-# and may be overwritten by future invocations.  Please make changes
-# to /etc/nixos/configuration.nix instead.
 {
   config,
   lib,
-  pkgs,
   modulesPath,
   ...
 }:

hosts/desktop/home-manager/default.nix

@@ -5,7 +5,9 @@
 
 {
   imports = [
-    (lib.custom.relativeToRoot "shared/home-manager")
+    (lib.custom.relativeToDesktop "home-manager")
+    ./hyprpaper.nix
+    ./settings.nix
   ];
 
   programs.git.signing.key = "706F53DD087A91DE";

hosts/desktop/home-manager/hyprpaper.nix

@@ -0,0 +1,29 @@
+# Wallpapers
+{
+  lib,
+  theme,
+  ...
+}:
+
+{
+  services.hyprpaper.settings =
+    let
+      wallpaper1 = builtins.toString theme.wallpaper.monitor1;
+      wallpaper2 = builtins.toString theme.wallpaper.monitor2;
+    in
+    {
+      preload = lib.mkForce [
+        wallpaper1
+        wallpaper2
+      ];
+
+      wallpaper =
+        let
+          common = import ../common.nix;
+        in
+        lib.mkForce [
+          "${common.monitor1},${wallpaper1}"
+          "${common.monitor2},${wallpaper2}"
+        ];
+    };
+}

hosts/desktop/home-manager/settings.nix

@@ -0,0 +1,12 @@
+{ lib, ... }:
+
+{
+  wayland.windowManager.hyprland.settings.monitor =
+    let
+      common = import ../common.nix;
+    in
+    lib.mkForce [
+      "${common.monitor1}, 3440x1440@175, 0x0, 1"
+      "${common.monitor2}, 3840x2160@60, 3440x0, 1.5, transform, 1"
+    ];
+}

hosts/desktop/home-manager/zen/chrome/userContent.css

@@ -29,10 +29,9 @@
     }
 
     .search-wrapper .logo-and-wordmark .logo {
-      background:
-        url("zen-logo-mocha.svg"),
+      background: url("zen-logo-mocha.svg"),
         url("https://raw.githubusercontent.com/IAmJafeth/zen-browser/main/themes/Mocha/Blue/zen-logo-mocha.svg")
-          no-repeat center !important;
+        no-repeat center !important;
       display: inline-block !important;
       height: 82px !important;
       width: 82px !important;

hosts/desktop/home-manager/zen/default.nix

@@ -0,0 +1,7 @@
+{
+  # TODO merge with shared
+  home.file.".zen/audtxq7n.default/chrome" = {
+    source = ./chrome;
+    recursive = true;
+  };
+}

hosts/desktop/modules/default.nix

@@ -1,17 +0,0 @@
-{
-  imports = [
-    ./development
-    ./fonts.nix
-    ./gaming
-    ./gnome
-    ./hardware
-    ./locale.nix
-    ./networking.nix
-    ./nix-helper.nix
-    ./hyprland
-    ./sddm.nix
-    ./security.nix
-    ./shell.nix
-    ./qt.nix
-  ];
-}

hosts/desktop/modules/development/ollama.nix

@@ -1,6 +0,0 @@
-{
-  services.ollama = {
-    enable = true;
-    acceleration = "cuda";
-  };
-}

hosts/desktop/modules/fonts.nix

@@ -1,19 +0,0 @@
-{ pkgs, theme, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    font-awesome # Icons
-  ];
-
-  fonts = {
-    fontconfig.enable = true;
-    packages = with pkgs; [
-      (nerdfonts.override { fonts = [ theme.nerdFont ]; })
-      jetbrains-mono
-      # The line below will replace the lines above in 25.05
-      # nerd-fonts.jetbrains-mono
-      font-awesome
-    ];
-  };
-
-}

hosts/desktop/modules/hardware/audio.nix

@@ -1,33 +0,0 @@
-{ pkgs, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    gst_all_1.gstreamer
-    gst_all_1.gst-plugins-base
-    gst_all_1.gst-plugins-good
-    gst_all_1.gst-plugins-bad
-
-    wireplumber
-    playerctl # Interaction with audioplayers and browsers
-    pavucontrol # GUI
-    spotify
-  ];
-
-  hardware.pulseaudio.enable = false; # Will be moved to services in 25.05
-
-  security.rtkit.enable = true; # Enable RealtimeKit for audio purposes
-
-  services = {
-    pipewire = {
-      enable = true;
-      alsa = {
-        enable = true;
-        support32Bit = true;
-      };
-      pulse.enable = true;
-      # Uncomment the following line if you want to use JACK applications
-      # jack.enable = true;
-    };
-    # pulseaudio.enable = false; # TODO uncommenct at 25.05
-  };
-}

hosts/desktop/modules/networking.nix

@@ -1,22 +0,0 @@
-{ hostName, ... }:
-
-{
-  networking = {
-    networkmanager.enable = true;
-    inherit hostName;
-    # wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-  };
-
-  # Configure network proxy if necessary
-  # networking.proxy.default = "http://user:password@proxy:port/";
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  programs.ssh.enableAskPassword = false;
-
-  services.tailscale.enable = true;
-}

hosts/desktop/modules/nix-helper.nix

@@ -1,12 +0,0 @@
-# Nix-Helper: github.com/viperML/nh
-{
-  programs.nh = {
-    enable = true;
-    flake = ../.;
-    clean = {
-      enable = true;
-      dates = "weekly";
-      extraArgs = "--keep-since 30d";
-    };
-  };
-}

hosts/desktop/modules/sddm.nix

@@ -1,22 +0,0 @@
-{ pkgs, theme, ... }:
-let
-  flavor = theme.flavor;
-in
-{
-  environment.systemPackages = with pkgs; [
-    (catppuccin-sddm.override {
-      flavor = flavor;
-      font = theme.nerdFont;
-      fontSize = "9";
-      background = builtins.toString ../assets/catppuccin_high.png;
-      loginBackground = true;
-    })
-  ];
-
-  services.displayManager.sddm = {
-    enable = true;
-    theme = "catppuccin-${flavor}";
-    wayland.enable = true;
-    package = pkgs.kdePackages.sddm;
-  };
-}

hosts/pi4/actual.nix

@@ -0,0 +1,44 @@
+{ config, common, ... }:
+let
+  domain = "beta.budget.${common.domain}";
+  port = 8084;
+in
+{
+  networking.nat = {
+    enable = false;
+    internalInterfaces = [ "ve-*" ];
+    externalInterface = "wlan0";
+    # Lazy IPv6 connectivity for the container
+    enableIPv6 = true;
+  };
+
+  containers.actual = {
+    autoStart = false;
+    privateNetwork = true;
+    hostAddress = "192.168.10.188";
+    localAddress = "192.168.10.11";
+    config =
+      { ... }:
+      {
+        networking.firewall.allowedTCPPorts = [ port ];
+        services = {
+          actual = {
+            enable = false;
+            settings = {
+              inherit port;
+              loginMethod = "password";
+            };
+          };
+        };
+        system.stateVersion = common.system.version;
+      };
+  };
+  services.nginx.virtualHosts.${domain} = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://${config.containers.actual.localAddress}:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+}

hosts/pi4/boot.nix

@@ -0,0 +1,16 @@
+{ pkgs, ... }:
+
+{
+  boot = {
+    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
+    initrd.availableKernelModules = [
+      "xhci_pci"
+      "usbhid"
+      "usb_storage"
+    ];
+    loader = {
+      grub.enable = false;
+      generic-extlinux-compatible.enable = true;
+    };
+  };
+}

hosts/pi4/caddy.nix

@@ -0,0 +1,91 @@
+{ common, ... }:
+let
+  domain = common.domain;
+in
+{
+  services.caddy = {
+    enable = false;
+    email = "cert@${domain}";
+    virtualHosts =
+      let
+        localProxy = proxyTo "localhost";
+        homelabProxy = proxyTo "192.168.10.231";
+        proxyTo = ip: port: "reverse_proxy ${ip}:${builtins.toString port}";
+        redirect = subdomain: "redir https://${subdomain}.${domain}{uri}";
+      in
+      {
+        "beta.${domain}".extraConfig = ''
+          redir https://${domain}{uri}
+        '';
+        "git.${domain}".extraConfig = ''
+          ${redirect "code"}
+        '';
+        "kitchenowl.${domain}".extraConfig = ''
+          ${redirect "grocery"}
+        '';
+        # Gitea
+        "code.${domain}".extraConfig = ''
+          ${homelabProxy 3000}
+        '';
+        # Forgejo
+        "beta.code.${domain}".extraConfig = ''
+          ${localProxy 8001}
+        '';
+        # Nextcloud
+        "nextcloud.${domain}".extraConfig = ''
+          redir /.well-known/carddav /remote.php/dav 301
+          redir /.well-known/caldav /remote.php/dav 301
+          ${homelabProxy 11000}
+        '';
+        # Kitchenowl
+        "grocery.${domain}".extraConfig = ''
+          ${homelabProxy 800}
+        '';
+        # Actual Budget
+        "budget.${domain}".extraConfig = ''
+          ${homelabProxy 5006}
+        '';
+        # Uptime Kuma
+        "status.${domain}".extraConfig = ''
+          ${homelabProxy 3001}
+        '';
+        # Headscale
+        "vpn.${domain}".extraConfig = ''
+          reverse_proxy /web* 192.168.10.231:8084
+          reverse_proxy * 192.168.10.231:8082
+        '';
+        # Headscale SmartDNS
+        "dns.${domain}".extraConfig = ''
+          ${homelabProxy 8082}
+        '';
+        # FreshRSS
+        "rss.${domain}".extraConfig = ''
+          ${homelabProxy 8085}
+        '';
+        # Ente backend
+        "api.ente.${domain}".extraConfig = ''
+          ${homelabProxy 8083}
+        '';
+        # Ente Photos frontend
+        "ente.${domain}".extraConfig = ''
+          ${homelabProxy 3003}
+        '';
+        # Ente Auth frontend
+        "mfa.${domain}".extraConfig = ''
+          ${homelabProxy 3004}
+        '';
+        # Homepage / portfolio
+        "${domain}".extraConfig = ''
+          ${homelabProxy 4321}
+        '';
+        # Yamtrack
+        "track.${domain}".extraConfig = ''
+          ${homelabProxy 8090}
+        '';
+        # Donetick
+        "chore.${domain}".extraConfig = ''
+          ${homelabProxy 2021}
+        '';
+      };
+  };
+}

hosts/pi4/default.nix

@@ -1,54 +1,20 @@
-{
-  pkgs,
-  hostName,
-  user,
-  version,
-  ...
-}:
+{ lib, ... }:
 
 {
-  boot = {
-    kernelPackages = pkgs.linuxKernel.packages.linux_rpi4;
-    initrd.availableKernelModules = [
-      "xhci_pci"
-      "usbhid"
-      "usb_storage"
-    ];
-    loader = {
-      grub.enable = false;
-      generic-extlinux-compatible.enable = true;
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    vim
+  imports = with lib.custom; [
+    (relativeToBase "modules")
+    ./actual.nix
+    ./boot.nix
+    ./caddy.nix
+    ./forgejo.nix
+    ./hardware.nix
+    ./headscale.nix
+    ./home-assitant.nix
+    ./mailserver.nix
+    ./nextcloud.nix
+    ./nginx.nix
+    ./podman.nix
+    ./postgres.nix
+    ./security
   ];
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-label/NIXOS_SD";
-      fsType = "ext4";
-      options = [ "noatime" ];
-    };
-  };
-
-  hardware.enableRedistributableFirmware = true;
-
-  networking = {
-    inherit hostName;
-    networkmanager.enable = true;
-  };
-
-  services.openssh.enable = true;
-
-  system.stateVersion = version;
-
-  users = {
-    mutableUsers = false;
-    users.${user.name} = {
-      isNormalUser = true;
-      password = user.password;
-      extraGroups = [ "wheel" ];
-    };
-  };
 }

hosts/pi4/forgejo.nix

@@ -0,0 +1,94 @@
+{
+  config,
+  pkgs,
+  lib,
+  systemConfig,
+  common,
+  ...
+}:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+  domain = "beta.code.${common.domain}";
+  passwordKey = "forgejo/admin-pass";
+  runnerTokenKey = "forgejo/runner-token";
+in
+{
+  services = {
+    nginx.virtualHosts.${domain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString srv.HTTP_PORT}";
+      serverAliases = [ "beta.git.${common.domain}" ];
+    };
+
+    forgejo = {
+      enable = true;
+      database.type = "postgres";
+      # Enable support for Git Large File Storage
+      lfs.enable = true;
+
+      secrets.mailer.PASSWD = config.sops.secrets."mailserver/password-hash".path;
+
+      settings = {
+        server = {
+          DOMAIN = domain;
+          # You need to specify this to remove the port from URLs in the web UI.
+          ROOT_URL = "https://${domain}/";
+          HTTP_PORT = 8002;
+        };
+        # You can temporarily allow registration to create an admin user.
+        service.DISABLE_REGISTRATION = true;
+        # Add support for actions, based on act: https://github.com/nektos/act
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+        # Sending emails is completely optional
+        # You can send a test email from the web UI at:
+        # Profile Picture > Site Administration > Configuration >  Mailer Configuration
+        mailer = lib.mkIf config.mailserver.enable {
+          ENABLED = true;
+          PROTOCOL = "smtps";
+          SMTP_ADDR = config.mailserver.fqdn;
+          FROM = "noreply-forgejo@${common.domain}";
+          USER = "${systemConfig.username}@${common.domain}";
+        };
+      };
+    };
+    gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        name = "monolith";
+        url = "https://${domain}";
+        # Obtaining the path to the runner token file may differ
+        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+        tokenFile = config.sops.secrets.${runnerTokenKey}.path;
+        labels = [
+          "docker:docker://node:20-bullseye"
+          "native:host"
+        ];
+      };
+    };
+  };
+
+  sops.secrets = {
+    ${passwordKey}.owner = "forgejo";
+    ${runnerTokenKey}.owner = "forgejo";
+  };
+
+  # Create a single admin user / update password if exists
+  systemd.services.forgejo.preStart =
+    let
+      adminCmd = "${lib.getExe config.services.forgejo.package} admin user";
+      pwd = config.sops.secrets.${passwordKey};
+      user = "martin"; # Note, Forgejo doesn't allow creation of an account named "admin"
+      email = "git@${common.domain}";
+    in
+    ''
+      ${adminCmd} create --admin --email "${email}" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+      ## Alter an existing user. Will prompt new password on login
+      # ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
+    '';
+}

hosts/pi4/hardware.nix

@@ -0,0 +1,12 @@
+{
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+      options = [ "noatime" ];
+    };
+    # TODO mount ext hdd
+  };
+
+  hardware.enableRedistributableFirmware = true;
+}

hosts/pi4/headscale.nix

@@ -0,0 +1,66 @@
+{
+  config,
+  common,
+  ...
+}:
+let
+  cfg = config.services.headscale;
+
+  domain = "beta.vpn.${common.domain}";
+  dnsDomain = "secure.${common.domain}";
+in
+{
+  networking.firewall = {
+    trustedInterfaces = [ config.services.tailscale.interfaceName ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
+
+  services = {
+    headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 8083;
+      settings = {
+        database = {
+          postgres = {
+            host = "/run/postgresql";
+            name = "headscale";
+            port = config.services.postgresql.settings.port;
+            user = cfg.user;
+          };
+          type = "postgres";
+        };
+        dns = {
+          base_domain = dnsDomain;
+          magic_dns = true;
+        };
+        logtail.enabled = false;
+        server_url = "https://${domain}";
+      };
+    };
+
+    nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.headscale.port}";
+        proxyWebsockets = true;
+      };
+    };
+
+    postgresql =
+      let
+        psql = cfg.settings.database.postgres;
+      in
+      {
+        ensureDatabases = [ psql.name ];
+        ensureUsers = [
+          {
+            name = psql.user;
+            ensureDBOwnership = true;
+          }
+        ];
+      };
+  };
+
+}

hosts/pi4/home-assitant.nix

@@ -0,0 +1,73 @@
+{ pkgs, common, ... }:
+let
+  dbName = "hass";
+  domain = "beta.home.${common.domain}";
+  port = 8085;
+in
+{
+
+  services = {
+    home-assistant = {
+      enable = true;
+      package =
+        (pkgs.home-assistant.override {
+          extraPackages =
+            py: with py; [
+              # Postgres
+              psycopg2
+              # Roomba
+              roombapy
+            ];
+        }).overrideAttrs
+          (oldAttrs: {
+            # Avoid long install checks
+            doInstallCheck = false;
+          });
+      extraComponents = [
+        # Components required to complete the onboarding
+        "esphome"
+        "met"
+        "radio_browser"
+      ];
+      config = {
+        # Includes dependencies for a basic setup
+        # https://www.home-assistant.io/integrations/default_config/
+        default_config = { };
+        homeassistant = {
+          name = "Hjem";
+          unit_system = "metric";
+          temperature_unit = "C";
+        };
+        http = {
+          server_host = "::1";
+          trusted_proxies = [ "::1" ];
+          use_x_forwarded_for = true;
+          server_port = port;
+        };
+        recorder.db_url = "postgresql://@/${dbName}";
+      };
+    };
+
+    nginx.virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        proxy_buffering off;
+      '';
+      locations."/" = {
+        proxyPass = "http://[::1]:${toString port}";
+        proxyWebsockets = true;
+      };
+    };
+    postgresql = {
+      enable = true;
+      ensureDatabases = [ dbName ];
+      ensureUsers = [
+        {
+          name = dbName;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+  };
+}

hosts/pi4/home-manager/default.nix

@@ -0,0 +1,9 @@
+{ lib, ... }:
+
+{
+  imports = with lib.custom; [
+    (relativeToBase "home-manager")
+  ];
+
+  programs.git.signing.key = "E3FA0E995C0D0E5E";
+}

hosts/pi4/mailserver.nix

@@ -0,0 +1,44 @@
+{
+  config,
+  inputs,
+  common,
+  systemConfig,
+  ...
+}:
+let
+  passwordHashKey = "mailserver/password-hash";
+in
+{
+  imports = [
+    inputs.simple-nixos-mailserver.nixosModule
+  ];
+
+  mailserver = {
+    enable = false;
+    # stateVersion = 1; TODO uncomment on 25.11
+    fqdn = "mail.${common.domain}";
+    domains = [
+      common.domain
+    ];
+
+    # A list of all login accounts. To create the password hashes, use
+    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
+    loginAccounts = {
+      "${systemConfig.username}@${common.domain}" = {
+        hashedPasswordFile = config.sops.secrets.${passwordHashKey}.path;
+      };
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = "acme-nginx";
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    25
+    465
+    587
+  ];
+
+  sops.secrets.${passwordHashKey}.neededForUsers = true;
+}

hosts/pi4/nextcloud.nix

@@ -0,0 +1,90 @@
+# https://mich-murphy.com/configure-nextcloud-nixos/
+{
+  pkgs,
+  config,
+  common,
+  ...
+}:
+let
+  adminPassKey = "nextcloud/admin-pass";
+  domain = "beta.nextcloud.${common.domain}";
+  dbname = "nextcloud";
+  dbuser = dbname;
+in
+{
+  security.acme = {
+    acceptTerms = true;
+    certs.${config.services.nextcloud.hostName}.email = "acme@${common.domain}";
+  };
+
+  services = {
+    nextcloud = {
+      enable = true;
+
+      autoUpdateApps.enable = true;
+
+      config = {
+        adminpassFile = config.sops.secrets.${adminPassKey}.path;
+        dbtype = "pgsql";
+        dbname = dbname;
+        dbuser = dbuser;
+        # default directory for postgresql, ensures automatic setup of db
+        dbhost = "/run/postgresql";
+        adminuser = "admin";
+      };
+
+      extraApps = {
+        inherit (config.services.nextcloud.package.packages.apps)
+          contacts
+          deck
+          notes
+          tasks
+          ;
+      };
+      extraAppsEnable = true;
+
+      hostName = domain;
+      https = true;
+
+      maxUploadSize = "0"; # No max limit
+      package = pkgs.nextcloud31;
+
+      settings = {
+        default_phone_region = "NO";
+        trusted_domains = [
+          domain
+        ];
+      };
+    };
+
+    nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+      forceSSL = true;
+      enableACME = true;
+    };
+
+    postgresql = {
+      ensureDatabases = [ dbname ];
+      ensureUsers = [
+        {
+          name = dbuser;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+    postgresqlBackup = {
+      enable = true;
+      location = "/data/backup/nextclouddb";
+      databases = [ dbname ];
+      # time to start backup in systemd.time format
+      startAt = "*-*-* 23:15:00";
+    };
+  };
+
+  sops.secrets.${adminPassKey}.neededForUsers = true;
+
+  # ensure postgresql db is started with nextcloud
+  systemd.services."nextcloud-setup" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+}

hosts/pi4/nginx.nix

@@ -0,0 +1,94 @@
+{
+  common,
+  ...
+}:
+let
+  domain = common.domain;
+  proxyTo = address: port: {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "${address}:${builtins.toString port}";
+  };
+  proxyLocations = locations: {
+    enableACME = true;
+    forceSSL = true;
+    inherit locations;
+  };
+  homelab = "http://${common.localIpAddr 231}";
+  homelabProxy = proxyTo homelab; # TODO get homelab local ip from systems
+  redirect = subdomain: {
+    enableACME = true;
+    forceSSL = true;
+    globalRedirect = if subdomain == "" then domain else "${subdomain}.${domain}";
+  };
+in
+{
+  services.nginx = {
+    enable = true;
+    enableReload = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts = {
+      # Beta is currently stable
+      "www.${domain}" = redirect "";
+      "beta.${domain}" = redirect "";
+      "dev.${domain}" = homelabProxy 4322;
+      "git.${domain}" = redirect "code";
+      "kitchenowl.${domain}" = redirect "grocery";
+      # Gitea
+      "code.${domain}" = homelabProxy 3000;
+      # Nextcloud
+      "nextcloud.${domain}" = proxyLocations {
+        "/".proxyPass = "${homelab}:11000";
+        "/.well-known/carddav".return = "301 /remote.php/dav";
+        "/.well-known/caldav".return = "301 /remote.php/dav";
+      };
+      # Kitchenowl
+      "grocery.${domain}" = homelabProxy 800;
+      # Actual budget
+      "budget.${domain}" = homelabProxy 5006;
+      # Uptime Kuma
+      "status.${domain}" = homelabProxy 3001;
+      # Headscale
+      "vpn.${domain}" = proxyLocations {
+        "/web".proxyPass = "${homelab}:8084";
+        "/" = {
+          proxyPass = "${homelab}:8082";
+          extraConfig = ''
+            proxy_http_version 1.1;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection $connection_upgrade;
+            proxy_redirect http:// https://;
+            proxy_buffering off;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+          '';
+        };
+      };
+      # Headscale SmartDNS
+      "dns.${domain}" = homelabProxy 8082;
+      # FreshRSS
+      "rss.${domain}" = homelabProxy 8085;
+      # Ente backend
+      "api.ente.${domain}" = homelabProxy 8083;
+      # Ente Photos frontend
+      "ente.${domain}" = homelabProxy 3003;
+      # Ente Auth frontend
+      "mfa.${domain}" = homelabProxy 3004;
+      # Homepage / portfolio
+      "${domain}" = homelabProxy 4321;
+      # Yamtrack
+      "track.${domain}" = homelabProxy 8090;
+      # Donetick
+      "chore.${domain}" = homelabProxy 2021;
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@${domain}";
+  };
+}

hosts/pi4/podman.nix

@@ -0,0 +1,23 @@
+{ pkgs, ... }:
+
+{
+  virtualisation = {
+    # Enable common container config files in /etc/containers
+    containers.enable = true;
+    podman = {
+      enable = true;
+
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+
+  # Useful other development tools
+  environment.systemPackages = with pkgs; [
+    podman-tui # status of containers in the terminal
+    podman-compose # start group of containers for dev
+  ];
+}

hosts/pi4/postgres.nix

@@ -0,0 +1,11 @@
+{ pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database  DBuser        auth-method
+      local all       all           trust
+    '';
+  };
+}

hosts/pi4/security/default.nix

@@ -0,0 +1,22 @@
+{ systemConfig, ... }:
+
+{
+  imports = [
+    ./firewall.nix
+  ];
+
+  security.sudo.extraRules = [
+    {
+      users = [ systemConfig.username ];
+      runAs = "ALL:ALL";
+      commands = [
+        {
+          command = "ALL";
+          options = [ "NOPASSWD" ];
+        }
+      ];
+    }
+  ];
+
+  services.pcscd.enable = true;
+}

hosts/pi4/security/firewall.nix

@@ -0,0 +1,17 @@
+{ common, ... }:
+
+{
+  networking = {
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        80
+        443
+      ];
+      extraInputRules = ''
+        ip saddr ${common.localIpRange} accept
+      '';
+    };
+    nftables.enable = true;
+  };
+}

hosts/thinkpad/common.nix

@@ -1,25 +1,4 @@
-rec {
-  default = {
-    browser = "zen";
-    calculator = "gnome-calculator";
-    fileManager = "nautilus";
-    imageViewer = "loupe";
-    lockScreen = "hyprlock";
-    terminal = "kitty";
-  };
-
-  dir = {
-    home = "/home/${username}";
-    pictures = "${dir.home}/Pictures";
-  };
-
-  keymaps = {
-    layout = "gb,no";
-    options = "grp:alt_shift_toggle"; # Toggle using ALT + SHIFT
-  };
-
-  # Empty matches all
+{
+  # Empty matches all monitors
   monitor1 = "";
-
-  username = "martin";
 }

hosts/thinkpad/default.nix

@@ -1,72 +1,23 @@
 {
   pkgs,
-  outputs,
-  common,
+  lib,
   ...
 }:
 
 {
-  imports = [ ./modules ];
+  imports = [
+    (lib.custom.relativeToDesktop "modules")
+    ./battery.nix
+    ./bluetooth.nix
+    ./hardware-configuration.nix
+    ./security.nix
+  ];
 
-  nixpkgs.overlays = [ outputs.overlays.unstable-packages ];
+  boot.kernelPackages = pkgs.linuxPackages_latest;
 
-  # Bootloader.
-  boot = {
-    kernelPackages = pkgs.linuxPackages_latest;
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-  };
-
-  # Define a user account. Don't forget to set a password with 'passwd'.
-  users.users.${common.username} = {
-    isNormalUser = true;
-    description = common.username;
-    extraGroups = [
-      "networkmanager"
-      "wheel"
-    ];
-  };
-
-  # Allow unfree packages
-  nixpkgs.config.allowUnfree = true;
-
-  environment.sessionVariables = {
-    # Tells Electron apps to use Wayland
-    NIXOS_OZONE_WL = "1";
-  };
-
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
   environment.systemPackages = with pkgs; [
     brightnessctl
-    wget
-    xdg-utils
-    xdg-desktop-portal
-    xdg-desktop-portal-gtk
-    unstable.protonmail-desktop
-    stremio
-    fastfetch
-    discord
-    nix-prefetch-github # Cmd to get rev and hash from GitHub
-    gimp
-    vlc
-    vdhcoapp
-    onlyoffice-desktopeditors
+    hyprsunset # Blue light filter
   ];
 
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-  ];
-
-  programs.kdeconnect.enable = true;
-
-  services = {
-    flatpak.enable = false;
-    xserver.enable = true;
-  };
-
-  system.stateVersion = common.system.version;
 }

hosts/thinkpad/home-manager/default.nix

@@ -5,7 +5,7 @@
 
 {
   imports = [
-    (lib.custom.relativeToRoot "shared/home-manager")
+    (lib.custom.relativeToDesktop "home-manager")
     ./hyprland
     ./zen
   ];

hosts/thinkpad/home-manager/hyprland/default.nix

@@ -1,8 +1,8 @@
 # Home configurations for Hyprland. For system configs, see ./modules/hyprland
 {
   imports = [
+    ./hyprlock.nix
     ./hyprpanel.nix
-    ./hyprpaper.nix
     ./settings.nix
   ];
 }

hosts/thinkpad/home-manager/hyprland/hyprlock.nix

@@ -0,0 +1,15 @@
+{ pkgs, lib, ... }:
+
+{
+  # TODO fingerprint prompt using $FPRINTPROMPT
+  programs.hyprlock = {
+    package = pkgs.unstable.hyprlock;
+    settings = {
+      auth."fingerprint:enabled" = true;
+      # Override removed settings shared config
+      general = lib.mkForce {
+        hide_cursor = true;
+      };
+    };
+  };
+}

hosts/thinkpad/home-manager/hyprland/hyprpanel.nix

@@ -4,7 +4,7 @@
 }:
 
 {
-  programs.hyprpanel.settings.layout."bar.layouts"."*".right = lib.mkDefault [
+  programs.hyprpanel.settings.bar.layouts."*".right = lib.mkForce [
     "kbinput"
     "volume"
     "network"

hosts/thinkpad/home-manager/hyprland/hyprpaper.nix

@@ -1,23 +0,0 @@
-# Wallpapers
-{
-  lib,
-  theme,
-  common,
-  ...
-}:
-
-{
-  services.hyprpaper.settings =
-    let
-      monitor1 = builtins.toString theme.wallpaper.monitor1;
-    in
-    {
-      preload = lib.mkDefault [
-        monitor1
-      ];
-
-      wallpaper = lib.mkDefault [
-        "${common.monitor1},${monitor1}"
-      ];
-    };
-}

hosts/thinkpad/home-manager/hyprland/settings.nix

@@ -1,14 +1,17 @@
 {
   lib,
-  common,
   ...
 }:
 
 {
   wayland.windowManager.hyprland.settings = {
-    monitor = lib.mkDefault [
-      "${common.monitor1}, 1920x1080@60.05, 0x0, 1"
-    ];
+    monitor =
+      let
+        common = import ../../common.nix;
+      in
+      lib.mkForce [
+        "${common.monitor1}, 1920x1080@60.05, 0x0, 1"
+      ];
 
     # Autostart
     exec-once = [
@@ -16,15 +19,15 @@
     ];
 
     input = {
-      sensitivity = lib.mkDefault 0.4; # -1.0 - 1.0, 0 means no modification.
-      touchpad.natural_scroll = lib.mkDefault true;
+      sensitivity = lib.mkForce 0.4; # -1.0 - 1.0, 0 means no modification.
+      touchpad.natural_scroll = lib.mkForce true;
     };
 
-    gestures = lib.mkDefault {
-      workspace_swipe = true;
-      workspace_swipe_distance = 150;
-      workspace_swipe_min_speed_to_force = 0;
-      workspace_swipe_cancel_ratio = 0.5;
+    gestures = {
+      workspace_swipe = lib.mkForce true;
+      workspace_swipe_distance = lib.mkForce 150;
+      workspace_swipe_min_speed_to_force = lib.mkForce 0;
+      workspace_swipe_cancel_ratio = lib.mkForce 0.5;
     };
   };
 }

hosts/thinkpad/home-manager/zen/chrome/userContent.css

@@ -29,10 +29,9 @@
     }
 
     .search-wrapper .logo-and-wordmark .logo {
-      background:
-        url("zen-logo-mocha.svg"),
+      background: url("zen-logo-mocha.svg"),
         url("https://raw.githubusercontent.com/IAmJafeth/zen-browser/main/themes/Mocha/Blue/zen-logo-mocha.svg")
-          no-repeat center !important;
+        no-repeat center !important;
       display: inline-block !important;
       height: 82px !important;
       width: 82px !important;

hosts/thinkpad/home-manager/zen/default.nix

@@ -1,12 +1,7 @@
-{ pkgs, inputs, ... }:
-
 {
   # TODO merge with shared
-  home = {
-    file.".zen/xdaxqlov.default/chrome" = {
-      source = ./chrome;
-      recursive = true;
-    };
-    packages = with pkgs; [ inputs.zen-browser.packages.${system}.default ]; # Beta
+  home.file.".zen/xdaxqlov.default/chrome" = {
+    source = ./chrome;
+    recursive = true;
   };
 }

hosts/thinkpad/modules/default.nix

@@ -1,19 +0,0 @@
-{
-  imports = [
-    ./battery.nix
-    ./bluetooth.nix
-    ./development.nix
-    ./fonts.nix
-    ./gaming
-    ./gnome
-    ./hardware
-    ./locale.nix
-    ./networking.nix
-    ./nix-helper.nix
-    ./hyprland
-    ./sddm.nix
-    ./security.nix
-    ./shell.nix
-    ./qt.nix
-  ];
-}

hosts/thinkpad/modules/development.nix

@@ -1,41 +0,0 @@
-{ pkgs, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    # IDEs
-    jetbrains.rust-rover
-    jetbrains.webstorm
-    jetbrains.rider
-    vscodium # TODO set up extensions
-    # Tools
-    dotnet-sdk_9
-    dotnet-aspnetcore_9
-    git
-    rustup
-    nodejs_22
-    pnpm
-    just
-    gcc # Required for C, Rust and others
-    # Language servers
-    nixd
-    nil
-    # Formatters
-    nixfmt-rfc-style
-    treefmt
-    nodePackages.prettier
-    shfmt
-  ];
-
-  virtualisation.docker = {
-    enable = true;
-    storageDriver = "btrfs";
-    rootless = {
-      enable = true;
-      setSocketVariable = true;
-    };
-  };
-
-  services.ollama = {
-    enable = true;
-  };
-}

hosts/thinkpad/modules/fonts.nix

@@ -1,19 +0,0 @@
-{ pkgs, theme, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    font-awesome # Icons
-  ];
-
-  fonts = {
-      fontconfig.enable = true;
-      packages = with pkgs; [
-        (nerdfonts.override { fonts = [ theme.nerdFont ]; })
-        jetbrains-mono
-        # The line below will replace the lines above in 25.05
-        # nerd-fonts.jetbrains-mono
-        font-awesome
-      ];
-    };
-
-}

hosts/thinkpad/modules/gaming/steam.nix

@@ -1,8 +0,0 @@
-{
-  programs.steam = {
-    enable = true;
-    remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
-    dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
-    localNetworkGameTransfers.openFirewall = true; # Open ports in the firewall for Steam Local Network Game Transfers
-  };
-}

hosts/thinkpad/modules/gnome/default.nix

@@ -1,28 +0,0 @@
-{ pkgs, ... }:
-
-{
-  imports = [
-    ./nautilus.nix
-  ];
-
-  environment.systemPackages = with pkgs; [
-    # adw-gtk3
-    glib
-    adwaita-icon-theme
-    gnomeExtensions.appindicator
-    # gnome-extension-manager
-    loupe
-    gnome-calculator
-    gnome-disk-utility
-    gnome-clocks
-    papers # PDFReader
-  ];
-
-  programs.dconf.enable = true; # Required for some gnome applications
-
-  services = {
-    gnome.gnome-keyring.enable = true;
-    gvfs.enable = true; # Gnome Virtual File-system. Required for various things in nautilus
-    udev.packages = with pkgs; [ gnome-settings-daemon ];
-  };
-}

hosts/thinkpad/modules/gnome/nautilus.nix

@@ -1,15 +0,0 @@
-{ pkgs, ... }:
-let
-  common = import ../../common.nix;
-in
-{
-  environment.systemPackages = with pkgs; [
-    nautilus
-    ffmpegthumbnailer # Thumbnails
-  ];
-
-  programs.nautilus-open-any-terminal = {
-    enable = true;
-    terminal = common.default.terminal;
-  };
-}

hosts/thinkpad/modules/hardware/default.nix

@@ -1,8 +0,0 @@
-{
-  imports = [
-    ./audio.nix
-    ./graphics
-    ./hardware-configuration.nix
-    ./keyboard.nix
-  ];
-}

hosts/thinkpad/modules/hardware/graphics/default.nix

@@ -1,6 +0,0 @@
-{
-  imports = [ ];
-
-  # Enable OpenGL
-  hardware.graphics.enable = true;
-}

hosts/thinkpad/modules/hardware/keyboard.nix

@@ -1,11 +0,0 @@
-{ pkgs, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    via
-  ];
-
-  hardware.keyboard.qmk.enable = true;
-
-  services.udev.packages = with pkgs; [ via ];
-}

hosts/thinkpad/modules/hyprland/default.nix

@@ -1,25 +0,0 @@
-# System configurations for Hyprland. For home configs, see ./home-manager/hyprland
-{ pkgs, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    xdg-desktop-portal-hyprland
-    hyprpolkitagent # Auth deamon providing modals for password auth
-    hyprshot # Screenshots
-    hyprsunset # Blue light filter
-    unstable.hyprsysteminfo
-    unstable.hyprland-qtutils
-    unstable.hyprland-qt-support
-  ];
-
-  programs = {
-    hyprland = {
-      enable = true;
-      xwayland.enable = true;
-      withUWSM = true;
-    };
-    hyprlock.enable = true; # Lock screen
-  };
-
-  services.hypridle.enable = true; # Lock when unused
-}

hosts/thinkpad/modules/locale.nix

@@ -1,37 +0,0 @@
-# TODO move locale config for hyprland here
-let
-  utf-8 = "UTF-8";
-  en = "en_GB.${utf-8}";
-  nb = "nb_NO.${utf-8}";
-  common = import ../common.nix;
-in
-{
-  # Configure console keymap
-  console.keyMap = "uk";
-
-  # Select internationalisation properties.
-  i18n = {
-    defaultLocale = en;
-    supportedLocales = [
-      "${en}/${utf-8}"
-      "${nb}/${utf-8}"
-    ];
-    extraLocaleSettings = {
-      LC_ADDRESS = nb;
-      LC_IDENTIFICATION = nb;
-      LC_MEASUREMENT = nb;
-      LC_MONETARY = nb;
-      LC_NAME = nb;
-      LC_NUMERIC = nb;
-      LC_PAPER = nb;
-      LC_TELEPHONE = nb;
-      LC_TIME = nb;
-    };
-  };
-
-  # Configure keymaps
-  services.xserver.xkb = common.keymaps;
-
-  # Set your time zone.
-  time.timeZone = "Europe/Oslo";
-}

hosts/thinkpad/modules/networking.nix

@@ -1,22 +0,0 @@
-{ hostName, ... }:
-
-{
-  networking = {
-    networkmanager.enable = true;
-    inherit hostName;
-    # wireless.enable = true;  # Enables wireless support via wpa_supplicant.
-  };
-
-  # Configure network proxy if necessary
-  # networking.proxy.default = "http://user:password@proxy:port/";
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  # networking.firewall.enable = false;
-
-  programs.ssh.enableAskPassword = false;
-
-  services.tailscale.enable = true;
-}

hosts/thinkpad/modules/qt.nix

@@ -1,17 +0,0 @@
-{ pkgs, ... }:
-
-{
-  environment = {
-    sessionVariables = {
-      QT_QPA_PLATFORMTHEME = "qt6ct";
-      QT_QPA_PLATFORM = "wayland"; # Enable Wayland for QT
-    };
-    systemPackages = with pkgs.kdePackages; [
-      qtwayland
-      qtsvg
-      qt6ct
-    ];
-  };
-
-  qt.enable = true;
-}

hosts/thinkpad/modules/security.nix

@@ -1,68 +0,0 @@
-{ pkgs, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    gnupg
-    yubioath-flutter
-  ];
-
-  programs.gnupg.agent.enable = true;
-
-  security = {
-    pam = {
-      services = {
-        gdm-fingerprint.text = ''
-          auth       required                    pam_shells.so
-          auth       requisite                   pam_nologin.so
-          auth       requisite                   pam_faillock.so      preauth
-          auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
-          auth       optional                    pam_permit.so
-          auth       required                    pam_env.so
-          auth       [success=ok default=1]      ${pkgs.gdm}/lib/security/pam_gdm.so
-          auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
-
-          account    include                     login
-
-          password   required                    pam_deny.so
-
-          session    include                     login
-          session    optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
-        '';
-        login = {
-          fprintAuth = false;
-          u2fAuth = false; # U2F and password
-        };
-        sudo.u2fAuth = true; # U2F or password
-      };
-      u2f = {
-        enable = true;
-        settings = {
-          cue = true; # Prompt: Please touch the device
-          interactive = false; # Prompt: Insert your U2F device, then press ENTER.
-        };
-      };
-    };
-  };
-
-  # Start the driver at boot
-  systemd.services.fprintd = {
-    wantedBy = [ "multi-user.target" ];
-    serviceConfig.Type = "simple";
-  };
-
-  # Install the driver
-  services.fprintd = {
-    enable = true;
-    tod.driver = pkgs.libfprint-2-tod1-goodix-550a; # Goodix 550a driver (from Lenovo)
-  };
-
-  # however for focaltech 2808:a658, use fprintd with overidden package (without tod)
-  # services.fprintd.package = pkgs.fprintd.override {
-  #   libfprint = pkgs.libfprint-focaltech-2808-a658;
-  # };
-
-  services = {
-    pcscd.enable = true; # Required for Yubikey
-    udev.packages = with pkgs; [ yubikey-personalization ];
-  };
-}

hosts/thinkpad/modules/shell.nix

@@ -1,19 +0,0 @@
-# For Fish dotfiles, see: /home-manager/fish.nix
-{ pkgs, ... }:
-
-{
-  programs = {
-    bash = {
-      # Starts the OS using Bash, then starts fish if it's not running
-      interactiveShellInit = ''
-        if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
-        then
-          shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
-          exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
-        fi
-      '';
-    };
-
-    fish.enable = true;
-  };
-}

hosts/thinkpad/security.nix

@@ -0,0 +1,38 @@
+{ pkgs, ... }:
+
+{
+  security = {
+    pam.services = {
+      gdm-fingerprint.text = ''
+        auth       required                    pam_shells.so
+        auth       requisite                   pam_nologin.so
+        auth       requisite                   pam_faillock.so      preauth
+        auth       required                    ${pkgs.fprintd}/lib/security/pam_fprintd.so
+        auth       optional                    pam_permit.so
+        auth       required                    pam_env.so
+        auth       [success=ok default=1]      ${pkgs.gdm}/lib/security/pam_gdm.so
+        auth       optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so
+
+        account    include                     login
+
+        password   required                    pam_deny.so
+
+        session    include                     login
+        session    optional                    ${pkgs.gnome-keyring}/lib/security/pam_gnome_keyring.so auto_start
+      '';
+      login.fprintAuth = false;
+    };
+  };
+
+  # Start the driver at boot
+  systemd.services.fprintd = {
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig.Type = "simple";
+  };
+
+  # Install the driver
+  services.fprintd = {
+    enable = true;
+    tod.driver = pkgs.libfprint-2-tod1-goodix-550a; # Goodix 550a driver (from Lenovo)
+  };
+}

justfile

@@ -1,27 +1,50 @@
+# List all receipes
 default:
     @just --list
 
+# Format all files in repo
 fmt:
     treefmt --on-unmatched info
 
+# Clean user files
+clean-user:
+    nh clean user
+
+# Clean all files
+clean-all:
+    nh clean all
+
+# Build a specific host but don't activate it. Host must use same system as target system
+build HOST:
+    git add .
+    just fmt
+    nh os build . -H {{HOST}}
+
+# Switch to new config, but don't add to bootloader
 test *FLAGS:
     git add .
     just fmt
     nh os test . {{FLAGS}}
 
+# Add new configuration to bootloader, but don't activate it now
+boot *FLAGS:
+    git add .
+    just fmt
+    nh os test . {{FLAGS}}
+
+# Switch to new config and add to bootloader
 switch *FLAGS:
     git add .
     just fmt
     nh os switch . {{FLAGS}}
 
+# Switch to new config and add to bootloader without formatting or adding to git
 switch-now *FLAGS:
     nh os switch . {{FLAGS}}
 
-update-all:
-    nix-channel --update
+update-all *FLAGS:
     nix flake update
-
-    just switch
+    just switch {{FLAGS}}
 
 update PKG:
     nix flake update {{PKG}}
@@ -34,3 +57,32 @@ lock:
 # Decrypt all files in the repo using git-crypt and the user's GPG key
 unlock:
     git-crypt unlock ~/.config/git/crypt-key
+
+# Connect to tailnet or sign-in if not registered
+start-tailscale:
+    tailscale up --login-server https://vpn.martials.no
+
+# Generate a new SSH key without passphrase
+generate-ssh:
+    ssh-keygen -t ed25519 -a 32 -f ~/.ssh/id_ed25519 -P ""
+
+# Generate a new age key from an existing ssh key (without passphrase)
+generate-age-from-ssh:
+    mkdir -p ~/.config/sops/age
+    nix run nixpkgs#ssh-to-age -- -private-key -i ~/.ssh/id_ed25519 > ~/.config/sops/age/keys.txt
+
+# Get a public age key from an existing age private key
+get-public-age-key:
+    nix shell nixpkgs#age -c age-keygen -y ~/.config/sops/age/keys.txt
+
+# Get the public ssh key from the current user
+get-public-ssh-key:
+    cat ~/.ssh/id_ed25519.pub
+
+# Edit the SOPS secrets file
+edit-secrets:
+    nix run nixpkgs#sops -- shared/secrets/secrets.yaml
+
+# Hash a string using the mkpasswd command
+hash PASS:
+    echo "{{PASS}}" | mkpasswd -s

lib/default.nix

@@ -1,16 +1,19 @@
 # FIXME(lib.custom): Add some stuff from hmajid2301/dotfiles/lib/module/default.nix, as simplifies option declaration
 { lib, ... }:
+with builtins;
 
 {
-  getSecret = with lib.strings; filePath: trim (removeSuffix "\n" (builtins.readFile filePath));
+  getSecret = with lib.strings; filePath: trim (removeSuffix "\n" (readFile filePath));
 
   # use path relative to the root of the project
   relativeToRoot = lib.path.append ../.;
+  relativeToBase = lib.path.append ../shared/base;
+  relativeToDesktop = lib.path.append ../shared/desktop;
 
   scanPaths =
     path:
-    builtins.map (f: (path + "/${f}")) (
-      builtins.attrNames (
+    map (f: (path + "/${f}")) (
+      attrNames (
         lib.attrsets.filterAttrs (
           path: _type:
           (_type == "directory") # include directories
@@ -18,7 +21,7 @@
             (path != "default.nix") # ignore default.nix
             && (lib.strings.hasSuffix ".nix" path) # include .nix files
           )
-        ) (builtins.readDir path)
+        ) (readDir path)
       )
     );
 }

shared/base/home-manager/default.nix

@@ -0,0 +1,12 @@
+{ inputs, ... }:
+
+{
+  imports = [
+    inputs.catppuccin.homeModules.catppuccin
+    ./development
+    ./shell
+    ./gpg.nix
+    ./home-manager.nix
+    ./ssh.nix
+  ];
+}

shared/base/home-manager/development/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./git.nix
+    ./helix.nix
+  ];
+}

shared/base/home-manager/development/git.nix

@@ -1,7 +1,10 @@
-{ pkgs, ... }:
+{ pkgs, common, ... }:
 
 {
-  home.packages = with pkgs; [ git-crypt ];
+  home.packages = with pkgs; [
+    git-crypt
+    gitmoji-cli
+  ];
 
   programs.git =
     let
@@ -11,7 +14,7 @@
       enable = true;
       package = package;
       userName = "Martin Berg Alstad";
-      userEmail = "git@martials.no";
+      userEmail = "git@${common.domain}";
 
       aliases = {
         amend = "commit --amend";
@@ -23,6 +26,7 @@
       signing.signByDefault = true;
 
       extraConfig = {
+        pull.rebase = true;
         push.autoSetupRemote = true;
         safe.directory = "/etc/nixos";
         credential.helper = "${package}/bin/git-credential-libsecret";

shared/base/home-manager/development/helix.nix

@@ -0,0 +1,111 @@
+{
+  pkgs,
+  lib,
+  theme,
+  ...
+}:
+
+{
+  catppuccin.helix = {
+    enable = true;
+    flavor = theme.flavor;
+  };
+
+  programs = {
+    fish.shellAliases.edit = "hx";
+    helix =
+      let
+        prettier = format: {
+          command = lib.getExe pkgs.nodePackages.prettier;
+          args = [
+            "--stdin-filepath"
+            "file.${format}"
+          ];
+        };
+        biome = format: {
+          command = lib.getExe pkgs.biome;
+          args = [
+            "check"
+            "--stdin-file-path=file.${format}"
+            "--write"
+          ];
+        };
+      in
+      {
+        enable = true;
+        defaultEditor = true;
+        extraPackages = with pkgs; [
+          # Markdown
+          marksman
+          markdown-oxide
+          # Html, css, Json, Eslint
+          vscode-langservers-extracted
+          # Yaml
+          ansible-language-server
+          yaml-language-server
+        ];
+        settings = {
+          editor = {
+            auto-save = {
+              after-delay.enable = true;
+              focus-lost = true;
+            };
+            cursor-shape = {
+              normal = "block";
+              insert = "bar";
+              select = "underline";
+            };
+            lsp = {
+              display-inlay-hints = true;
+              display-messages = true;
+            };
+          };
+          keys.normal = {
+            C-f = ":format";
+          };
+        };
+
+        languages.language = [
+          {
+            name = "css";
+            formatter = biome "css";
+            auto-format = true;
+          }
+          {
+            name = "json";
+            language-servers = [
+              "vscode-json-language-server"
+            ];
+            formatter = biome "json";
+            auto-format = true;
+          }
+          {
+            name = "jsonc";
+            language-servers = [
+            ];
+            formatter = biome "jsonc";
+            file-types = [
+              "jsonc"
+            ];
+            auto-format = true;
+          }
+          {
+            name = "markdown";
+            formatter = prettier "md";
+            auto-format = true;
+          }
+          {
+            name = "nix";
+            formatter.command = lib.getExe pkgs.nixfmt-rfc-style;
+            auto-format = true;
+          }
+          {
+            name = "yaml";
+            formatter = prettier "yaml";
+            auto-format = true;
+          }
+        ];
+
+      };
+  };
+}

shared/base/home-manager/gpg.nix

@@ -1,9 +1,10 @@
 { pkgs, ... }:
 
 {
+  programs.gpg.enable = true;
   services.gpg-agent = {
     enable = true;
     enableFishIntegration = true;
-    pinentryPackage = pkgs.pinentry-curses;
+    pinentry.package = pkgs.pinentry-curses;
   };
 }

shared/base/home-manager/home-manager.nix

@@ -0,0 +1,16 @@
+{
+  systemConfig,
+  common,
+  ...
+}:
+
+{
+  home = {
+    username = systemConfig.username;
+    homeDirectory = common.dir.home;
+    stateVersion = systemConfig.version;
+  };
+
+  # Let Home Manager install and manage itself.
+  programs.home-manager.enable = true;
+}

shared/base/home-manager/shell/bat.nix

@@ -0,0 +1,13 @@
+{ theme, ... }:
+
+{
+  catppuccin.bat = {
+    enable = true;
+    flavor = theme.flavor;
+  };
+
+  programs = {
+    bat.enable = true;
+    fish.shellAliases.cat = "bat";
+  };
+}

shared/base/home-manager/shell/default.nix

@@ -0,0 +1,11 @@
+{
+  imports = [
+    ./bat.nix
+    ./btop.nix
+    ./eza.nix
+    ./fastfetch.nix
+    ./fish.nix
+    ./fzf.nix
+    ./zoxide.nix
+  ];
+}

shared/base/home-manager/shell/eza.nix

@@ -0,0 +1,12 @@
+{
+  programs = {
+    eza = {
+      enable = true;
+      colors = "always";
+      enableFishIntegration = true;
+      git = true;
+      icons = "always";
+    };
+    fish.shellAliases.ls = "eza";
+  };
+}

shared/base/home-manager/shell/fzf.nix

@@ -0,0 +1,13 @@
+{ theme, ... }:
+
+{
+  catppuccin.fzf = {
+    enable = true;
+    flavor = theme.flavor;
+  };
+
+  programs.fzf = {
+    enable = true;
+    enableFishIntegration = true;
+  };
+}

shared/base/home-manager/shell/zoxide.nix

@@ -0,0 +1,10 @@
+# cd alternative
+{
+  programs = {
+    fish.shellAliases.cd = "z";
+    zoxide = {
+      enable = true;
+      enableFishIntegration = true;
+    };
+  };
+}

shared/base/home-manager/ssh.nix

@@ -0,0 +1,32 @@
+# ~/.ssh/config
+{
+  systemConfig,
+  systems,
+  common,
+  ...
+}:
+with builtins;
+
+{
+  programs.ssh = {
+    enable = true;
+    matchBlocks = listToAttrs (
+      map (system: {
+        name = system.hostName;
+        value =
+          let
+            hostName =
+              if (system ? address && system.address ? tailnet) then
+                system.address.tailnet
+              else
+                common.tailnetAddr system.hostName;
+          in
+          {
+            port = 22;
+            user = systemConfig.username;
+            hostname = hostName;
+          };
+      }) systems
+    );
+  };
+}

shared/base/modules/default.nix

@@ -0,0 +1,11 @@
+{
+  imports = [
+    ./development
+    ./networking.nix
+    ./nix-helper.nix
+    ./nixos.nix
+    ./security
+    ./shell.nix
+    ./users.nix
+  ];
+}

shared/base/modules/development/default.nix

@@ -2,11 +2,12 @@
 
 {
   imports = [
-    ./steam.nix
+    ./formatters.nix
+    ./nix.nix
   ];
 
   environment.systemPackages = with pkgs; [
-    heroic
-    wine
+    git
+    just
   ];
 }

shared/base/modules/development/formatters.nix

@@ -2,10 +2,9 @@
 
 {
   environment.systemPackages = with pkgs; [
-    # Language servers
-    nixd
-    nil
-    # Formatters
+    biome # Linter + formatter
     nixfmt-rfc-style
+    treefmt
+    shfmt
   ];
 }

shared/base/modules/development/nix.nix

@@ -0,0 +1,8 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    nixd
+    nil
+  ];
+}

shared/base/modules/networking.nix

@@ -0,0 +1,19 @@
+{ pkgs, systemConfig, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    wget
+  ];
+
+  networking = {
+    networkmanager.enable = true;
+    hostName = systemConfig.hostName;
+  };
+
+  programs.ssh.enableAskPassword = false;
+
+  services = {
+    openssh.enable = true;
+    tailscale.enable = true;
+  };
+}

shared/base/modules/nix-helper.nix

@@ -1,8 +1,10 @@
 # Nix-Helper: github.com/viperML/nh
+{ common, ... }:
+
 {
   programs.nh = {
     enable = true;
-    flake = ../.;
+    flake = common.root;
     clean = {
       enable = true;
       dates = "weekly";

shared/base/modules/nixos.nix

@@ -0,0 +1,28 @@
+{
+  pkgs,
+  outputs,
+  systemConfig,
+  ...
+}:
+
+{
+  environment.systemPackages = with pkgs; [
+    nix-prefetch-github # Cmd to get rev and hash from GitHub
+  ];
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
+  nixpkgs = {
+    # Allow unfree packages
+    config.allowUnfree = true;
+    overlays = [ outputs.overlays.unstable-packages ];
+  };
+
+  system = {
+    rebuild.enableNg = true;
+    stateVersion = systemConfig.version;
+  };
+}

shared/base/modules/security/default.nix

@@ -0,0 +1,9 @@
+{
+  imports = [
+    ./keyring.nix
+    ./sops.nix
+    ./ssh.nix
+  ];
+
+  programs.gnupg.agent.enable = true;
+}

shared/base/modules/security/keyring.nix

@@ -0,0 +1,3 @@
+{
+  services.gnome.gnome-keyring.enable = true;
+}

shared/base/modules/security/sops.nix

@@ -0,0 +1,20 @@
+{
+  inputs,
+  lib,
+  systemConfig,
+  ...
+}:
+
+{
+  imports = [
+    inputs.sops-nix.nixosModules.sops
+  ];
+
+  sops = {
+    defaultSopsFile = lib.custom.relativeToRoot "shared/secrets/secrets.yaml";
+    defaultSopsFormat = "yaml";
+
+    age.keyFile = "/home/${systemConfig.username}/.config/sops/age/keys.txt";
+    secrets.password-hash.neededForUsers = true;
+  };
+}

shared/base/modules/security/ssh.nix

@@ -0,0 +1,33 @@
+# /nix/store/<hash>/etc/ssh/ssh_config & /nix/store/<hash>/etc/ssh/authorized_keys
+{
+  systemConfig,
+  systems,
+  knownSystems,
+  common,
+  ...
+}:
+with builtins;
+let
+  allSystems = knownSystems ++ systems;
+in
+{
+  programs.ssh.knownHosts = listToAttrs (
+    map (system: {
+      name = system.hostName;
+      value = {
+        extraHostNames = [
+          (
+            if (system ? address && system.address ? tailnet) then
+              system.address.tailnet
+            else
+              common.tailnetAddr system.hostName
+          )
+        ];
+        publicKey = system.ssh.publicKey;
+      };
+    }) allSystems
+  );
+  users.users.${systemConfig.username}.openssh.authorizedKeys.keys = (
+    map (system: system.ssh.publicKey) allSystems
+  );
+}

shared/base/modules/users.nix

@@ -0,0 +1,18 @@
+{ config, systemConfig, ... }:
+let
+  username = systemConfig.username;
+in
+{
+  users = {
+    mutableUsers = false;
+    users.${username} = {
+      isNormalUser = true;
+      hashedPasswordFile = config.sops.secrets.password-hash.path;
+      description = username;
+      extraGroups = [
+        "networkmanager"
+        "wheel"
+      ];
+    };
+  };
+}