feat(home): switch to nemo with extensions

Also add it to my Waybar config

.envrc

@@ -1,3 +1,4 @@
+# -*- mode: sh; -*-
 if ! has nix_direnv_version || ! nix_direnv_version 2.2.1; then
   source_url "https://raw.githubusercontent.com/nix-community/nix-direnv/2.2.1/direnvrc" "sha256-zelF0vLbEl5uaqrfIzbgNzJWGmLzCmYAkInj/LNxvKs="
 fi

README.md

@@ -0,0 +1,57 @@
+# NixOS Configuration
+
+Personal NixOS configuration for my machines, using Nix Flakes for reproducible and shareable setups.
+
+## Repository Structure
+
+- **flake.nix**: Main entry point for the Nix Flake, defining NixOS and home-manager configurations.
+- **hosts/**: Contains the host-specific NixOS configurations.
+- **system/**: Holds system-wide configuration modules that can be shared across different hosts. This includes things like boot settings, desktop environments, hardware configurations, networking, packages, security, and system services.
+- **users/**: Manages user-specific configurations. It's split into `modules` for reusable home-manager configurations and `phundrak` for my personal configuration.
+- **keys/**: Public keys for various machines.
+- **secrets/**: Encrypted secrets managed with `sops-nix`.
+
+## Usage
+
+### System Management
+
+Update flake dependencies:
+```bash
+nix flake update
+```
+
+Build and switch to a new system configuration:
+```bash
+sudo nixos-rebuild switch --flake .#<hostname>
+```
+
+Using the Nix Helper (nh) tool:
+```bash
+# Build and activate a new configuration, making it the boot default
+nh os switch
+
+# Build a new configuration and make it the boot default
+nh os boot
+
+# Build and activate a new configuration (without making it the boot default)
+nh os test
+
+# Just build a new configuration
+nh os build
+```
+
+### Home Configuration
+
+Update and switch to a new home configuration:
+```bash
+nh home switch
+```
+
+Format Nix files (using Alejandra):
+```bash
+nix fmt .
+```
+
+## Contributing
+
+Feel free to fork this repository and make your own changes. If you have any improvements or suggestions, please open an issue or submit a pull request.

README.org

@@ -1,37 +0,0 @@
-#+title: NixOS Configuration
-#+author: Lucien Cartier-Tilet <lucien@phundrak.com>
-
-This repository contains the NixOS configuration for my personal
-setup. It uses Nix Flakes to manache the configuration, making it
-reproducible and easy to share across my different machines.
-
-* Repository Structure
-- =flake.nix= :: The main entry point for the Nix Flake. It defines my
-  NixOS configurations as well as a dev shell which installs the tools
-  needed for testing and building my configurations.
-- =hosts/= :: Directory containing host-specific configurations. Each
-  host has its own directory with at least a =configuration.nix= file.
-- =modules/= :: Custom NixOS modules that can be reused across different
-  hosts.
-- =programs/= :: Programs shared across hosts at the system level that
-  are not made into configurable modules.
-- =secrets/= :: Contains secret values that I cannot or will not share
-  publicly.
-- =system/= :: Common system-level configuration shared across hosts
-  that are not made into configurable modules.
-- =users/phundrak/= :: My home-manager configuration, containing
-  user-specific settings and applications.
-- =users/modules/= :: Custom user NixOS modules that can be reused
-  across different users.
-- =user/scripts/= :: Custom shell scripts shared across users.
-
-* Updating and Rebuilding the Configuration
-In this repository, there are two helper scripts:
-- =update.sh= :: Updates the Flake’s lockfile.
-- =rebuild.sh= :: Rebuilds the configuration and switch to it
-  immediately.
-
-* Contributing
-Feel free to fork this repository and make your own changes. If you
-have any improvements or suggestions, please open an issue or submit a
-pull request.

flake.lock

@@ -6,19 +6,24 @@
           "devenv"
         ],
         "flake-compat": [
-          "devenv"
+          "devenv",
+          "flake-compat"
         ],
         "git-hooks": [
-          "devenv"
+          "devenv",
+          "git-hooks"
         ],
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": [
+          "devenv",
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1742042642,
-        "narHash": "sha256-D0gP8srrX0qj+wNYNPdtVJsQuFzIng3q43thnHXQ/es=",
+        "lastModified": 1760971495,
+        "narHash": "sha256-IwnNtbNVrlZIHh7h4Wz6VP0Furxg9Hh0ycighvL5cZc=",
         "owner": "cachix",
         "repo": "cachix",
-        "rev": "a624d3eaf4b1d225f918de8543ed739f2f574203",
+        "rev": "c5bfd933d1033672f51a863c47303fc0e093c2d2",
         "type": "github"
       },
       "original": {
@@ -28,20 +33,44 @@
         "type": "github"
       }
     },
+    "claude-desktop": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1764098187,
+        "narHash": "sha256-H6JjWXhKqxZ8QLMoqndZx9e5x0Sv5AiipSmqvIxIbgo=",
+        "owner": "k3d3",
+        "repo": "claude-desktop-linux-flake",
+        "rev": "b2b040cb68231d2118906507d9cc8fd181ca6308",
+        "type": "github"
+      },
+      "original": {
+        "owner": "k3d3",
+        "repo": "claude-desktop-linux-flake",
+        "type": "github"
+      }
+    },
     "devenv": {
       "inputs": {
         "cachix": "cachix",
         "flake-compat": "flake-compat",
+        "flake-parts": "flake-parts",
         "git-hooks": "git-hooks",
         "nix": "nix",
-        "nixpkgs": "nixpkgs_3"
+        "nixpkgs": [
+          "nixpkgs"
+        ]
       },
       "locked": {
-        "lastModified": 1746189866,
-        "narHash": "sha256-3sTvuSVBFcXbqg26Qcw/ENJ1s36jtzEcZ0mHqLqvWRA=",
+        "lastModified": 1764669403,
+        "narHash": "sha256-aJCOp0CV/9KIR2LTwSbZZN3j9Avg7umYyaqDFPoOVhI=",
         "owner": "cachix",
         "repo": "devenv",
-        "rev": "5fc592d45dd056035e0fd5000893a21609c35526",
+        "rev": "3f2d25e7af748127da0571266054575dd8fec5ab",
         "type": "github"
       },
       "original": {
@@ -53,11 +82,11 @@
     "flake-compat": {
       "flake": false,
       "locked": {
-        "lastModified": 1733328505,
-        "narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
+        "lastModified": 1761588595,
+        "narHash": "sha256-XKUZz9zewJNUj46b4AJdiRZJAvSZ0Dqj2BNfXvFlJC4=",
         "owner": "edolstra",
         "repo": "flake-compat",
-        "rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
+        "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5",
         "type": "github"
       },
       "original": {
@@ -70,16 +99,15 @@
       "inputs": {
         "nixpkgs-lib": [
           "devenv",
-          "nix",
           "nixpkgs"
         ]
       },
       "locked": {
-        "lastModified": 1712014858,
-        "narHash": "sha256-sB4SWl2lX95bExY2gMFG5HIzvva5AVMJd4Igm+GpZNw=",
+        "lastModified": 1760948891,
+        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "9126214d0a59633752a136528f5f3b9aa8565b7d",
+        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
         "type": "github"
       },
       "original": {
@@ -88,10 +116,47 @@
         "type": "github"
       }
     },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1731533236,
+        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
     "git-hooks": {
       "inputs": {
         "flake-compat": [
-          "devenv"
+          "devenv",
+          "flake-compat"
         ],
         "gitignore": "gitignore",
         "nixpkgs": [
@@ -100,11 +165,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1742649964,
-        "narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
+        "lastModified": 1760663237,
+        "narHash": "sha256-BflA6U4AM1bzuRMR8QqzPXqh8sWVCNDzOdsxXEguJIc=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
+        "rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37",
         "type": "github"
       },
       "original": {
@@ -142,11 +207,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1746204974,
-        "narHash": "sha256-Evu4H0/kzaQoCNLGQTp+JGTqkywzPx0IAo20Ci2zNck=",
+        "lastModified": 1764780230,
+        "narHash": "sha256-/hLZoLxzr2jwMStuUofB6PZm2eE3kpw91WObm66vPUs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "1e8c62c651242fc685b10efc4a48ab777635fb7f",
+        "rev": "af324afa72de6d23162f0cdcb0716afe6e626683",
         "type": "github"
       },
       "original": {
@@ -155,110 +220,73 @@
         "type": "github"
       }
     },
-    "libgit2": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1697646580,
-        "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=",
-        "owner": "libgit2",
-        "repo": "libgit2",
-        "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5",
-        "type": "github"
-      },
-      "original": {
-        "owner": "libgit2",
-        "repo": "libgit2",
-        "type": "github"
-      }
-    },
     "nix": {
       "inputs": {
         "flake-compat": [
-          "devenv"
+          "devenv",
+          "flake-compat"
+        ],
+        "flake-parts": [
+          "devenv",
+          "flake-parts"
+        ],
+        "git-hooks-nix": [
+          "devenv",
+          "git-hooks"
+        ],
+        "nixpkgs": [
+          "devenv",
+          "nixpkgs"
         ],
-        "flake-parts": "flake-parts",
-        "libgit2": "libgit2",
-        "nixpkgs": "nixpkgs_2",
         "nixpkgs-23-11": [
           "devenv"
         ],
         "nixpkgs-regression": [
           "devenv"
-        ],
-        "pre-commit-hooks": [
-          "devenv"
         ]
       },
       "locked": {
-        "lastModified": 1745930071,
-        "narHash": "sha256-bYyjarS3qSNqxfgc89IoVz8cAFDkF9yPE63EJr+h50s=",
-        "owner": "domenkozar",
+        "lastModified": 1761648602,
+        "narHash": "sha256-H97KSB/luq/aGobKRuHahOvT1r7C03BgB6D5HBZsbN8=",
+        "owner": "cachix",
         "repo": "nix",
-        "rev": "b455edf3505f1bf0172b39a735caef94687d0d9c",
+        "rev": "3e5644da6830ef65f0a2f7ec22830c46285bfff6",
         "type": "github"
       },
       "original": {
-        "owner": "domenkozar",
-        "ref": "devenv-2.24",
+        "owner": "cachix",
+        "ref": "devenv-2.30.6",
         "repo": "nix",
         "type": "github"
       }
     },
+    "nix-index-database": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1764475780,
+        "narHash": "sha256-77jL5H5x51ksLiOUDjY0ZK8e2T4ZXLhj3ap8ETvknWI=",
+        "owner": "nix-community",
+        "repo": "nix-index-database",
+        "rev": "5a3ff8c1a09003f399f43d5742d893c0b1ab8af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-index-database",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1733212471,
-        "narHash": "sha256-M1+uCoV5igihRfcUKrr1riygbe73/dzNnzPsmaLCmpo=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "55d15ad12a74eb7d4646254e13638ad0c4128776",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1717432640,
-        "narHash": "sha256-+f9c4/ZX5MWDOuB1rKoWj+lBNm0z0rs4CK47HBLxy1o=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "88269ab3044128b7c2f4c7d68448b2fb50456870",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "ref": "release-24.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1733477122,
-        "narHash": "sha256-qamMCz5mNpQmgBwc8SB5tVMlD5sbwVIToVZtSxMph9s=",
-        "owner": "cachix",
-        "repo": "devenv-nixpkgs",
-        "rev": "7bd9e84d0452f6d2e63b6e6da29fe73fac951857",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "ref": "rolling",
-        "repo": "devenv-nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_4": {
-      "locked": {
-        "lastModified": 1746141548,
-        "narHash": "sha256-IgBWhX7A2oJmZFIrpRuMnw5RAufVnfvOgHWgIdds+hc=",
+        "lastModified": 1764517877,
+        "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "f02fddb8acef29a8b32f10a335d44828d7825b78",
+        "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c",
         "type": "github"
       },
       "original": {
@@ -268,15 +296,82 @@
         "type": "github"
       }
     },
+    "pumo-system-info": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1748984111,
+        "narHash": "sha256-SP1/+cCHnPg0UqylHCzeKNx61wGapLrYRn5UKiiDicc=",
+        "ref": "refs/heads/develop",
+        "rev": "f9fe233b6cb669a718a0ddb529793159d39ba32e",
+        "revCount": 9,
+        "type": "git",
+        "url": "https://labs.phundrak.com/phundrak/pumo-system-info"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://labs.phundrak.com/phundrak/pumo-system-info"
+      }
+    },
+    "quickshell": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1764663772,
+        "narHash": "sha256-sHqLmm0wAt3PC4vczJeBozI1/f4rv9yp3IjkClHDXDs=",
+        "ref": "refs/heads/master",
+        "rev": "26531fc46ef17e9365b03770edd3fb9206fcb460",
+        "revCount": 713,
+        "type": "git",
+        "url": "https://git.outfoxxed.me/quickshell/quickshell"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.outfoxxed.me/quickshell/quickshell"
+      }
+    },
     "root": {
       "inputs": {
+        "claude-desktop": "claude-desktop",
         "devenv": "devenv",
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs_4",
+        "nix-index-database": "nix-index-database",
+        "nixpkgs": "nixpkgs",
+        "pumo-system-info": "pumo-system-info",
+        "quickshell": "quickshell",
         "sops-nix": "sops-nix",
         "zen-browser": "zen-browser"
       }
     },
+    "rust-overlay": {
+      "inputs": {
+        "nixpkgs": [
+          "pumo-system-info",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748918260,
+        "narHash": "sha256-KhXNXQ5IDLvwwYfJ0pXDjwIuisZ2qM6F7fcXjIGZy/4=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "c9736155bc1eb7c7cf3a925920850e61c07ab22a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
     "sops-nix": {
       "inputs": {
         "nixpkgs": [
@@ -284,11 +379,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745310711,
-        "narHash": "sha256-ePyTpKEJTgX0gvgNQWd7tQYQ3glIkbqcW778RpHlqgA=",
+        "lastModified": 1764483358,
+        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5e3e92b16d6fdf9923425a8d4df7496b2434f39c",
+        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
         "type": "github"
       },
       "original": {
@@ -297,6 +392,36 @@
         "type": "github"
       }
     },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "zen-browser": {
       "inputs": {
         "nixpkgs": [
@@ -304,11 +429,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1745121923,
-        "narHash": "sha256-8X9JuDfxAEQlBhB0ARgFj9fbDOlCvPx6AbQ1h2T47/g=",
+        "lastModified": 1764648680,
+        "narHash": "sha256-B/nmawJ75/951Xs9ludSxDVd/txFY+odmcbinySqMQo=",
         "owner": "youwen5",
         "repo": "zen-browser-flake",
-        "rev": "02084a38e9dbc4fa17f3474c3e9d43bb7db55799",
+        "rev": "897df2f2ad4880563ce801fa29f348a4e98f0a20",
         "type": "github"
       },
       "original": {

flake.nix

@@ -2,17 +2,43 @@
   description = "Home Manager configuration of phundrak";
 
   inputs = {
-    # Specify the source of Home Manager and Nixpkgs.
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+
+    devenv = {
+      url = "github:cachix/devenv";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     home-manager = {
       url = "github:nix-community/home-manager";
       inputs.nixpkgs.follows = "nixpkgs";
     };
-    devenv.url = "github:cachix/devenv";
+
+    nix-index-database = {
+      url = "github:nix-community/nix-index-database";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    pumo-system-info = {
+      url = "git+https://labs.phundrak.com/phundrak/pumo-system-info";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    quickshell = {
+      url = "git+https://git.outfoxxed.me/quickshell/quickshell";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     sops-nix = {
       url = "github:Mic92/sops-nix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+
+    claude-desktop = {
+      url = "github:k3d3/claude-desktop-linux-flake";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
     zen-browser = {
       url = "github:youwen5/zen-browser-flake";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -62,63 +88,54 @@
       ];
     };
 
-    homeConfigurations = {
+    homeConfigurations = let
+      extraSpecialArgs = {inherit inputs outputs system;};
+      pkgs = nixpkgs.legacyPackages.x86_64-linux;
+      defaultUserModules = [
+        inputs.sops-nix.homeManagerModules.sops
+      ];
+      withUserModules = modules: nixpkgs.lib.lists.flatten (defaultUserModules ++ [modules]);
+    in {
+      "phundrak@alys" = home-manager.lib.homeManagerConfiguration {
+        inherit extraSpecialArgs pkgs;
+        modules = withUserModules ./users/phundrak/host/alys.nix;
+      };
       "phundrak@marpa" = home-manager.lib.homeManagerConfiguration {
-        pkgs = nixpkgs.legacyPackages.x86_64-linux;
-        extraSpecialArgs = {
-          inherit inputs outputs;
-          home-conf = "fullHome";
-        };
-        modules = [
-          ./users/phundrak/marpa.nix
-          inputs.sops-nix.homeManagerModules.sops
-        ];
+        inherit extraSpecialArgs pkgs;
+        modules = withUserModules ./users/phundrak/host/marpa.nix;
       };
       "phundrak@gampo" = home-manager.lib.homeManagerConfiguration {
-        pkgs = nixpkgs.legacyPackages.x86_64-linux;
-        extraSpecialArgs = {
-          inherit inputs outputs;
-          home-conf = "fullHome";
-        };
-        modules = [
-          ./users/phundrak/gampo.nix
-          inputs.sops-nix.homeManagerModules.sops
-        ];
+        inherit extraSpecialArgs pkgs;
+        modules = withUserModules ./users/phundrak/host/gampo.nix;
       };
       "phundrak@tilo" = home-manager.lib.homeManagerConfiguration {
-        pkgs = nixpkgs.legacyPackages.x86_64-linux;
-        extraSpecialArgs = {
-          inherit inputs outputs;
-          home-conf = "minimal";
-        };
-        modules = [
-          ./users/phundrak/tilo.nix
-          inputs.sops-nix.homeManagerModules.sops
-        ];
+        inherit extraSpecialArgs pkgs;
+        modules = withUserModules ./users/phundrak/host/tilo.nix;
       };
     };
 
-    nixosConfigurations = {
+    nixosConfigurations = let
+      specialArgs = {inherit inputs outputs;};
+      defaultSystemModules = [
+        inputs.sops-nix.nixosModules.sops
+      ];
+      withSystemModules = modules: nixpkgs.lib.lists.flatten (defaultSystemModules ++ [modules]);
+    in {
+      alys = nixpkgs.lib.nixosSystem {
+        inherit specialArgs;
+        modules = withSystemModules ./hosts/alys/configuration.nix;
+      };
       gampo = nixpkgs.lib.nixosSystem {
-        specialArgs = {inherit inputs outputs;};
-        modules = [
-          ./hosts/gampo/configuration.nix
-          inputs.sops-nix.nixosModules.sops
-        ];
+        inherit specialArgs;
+        modules = withSystemModules ./hosts/gampo/configuration.nix;
       };
       marpa = nixpkgs.lib.nixosSystem {
-        specialArgs = {inherit inputs outputs;};
-        modules = [
-          ./hosts/marpa/configuration.nix
-          inputs.sops-nix.nixosModules.sops
-        ];
+        inherit specialArgs;
+        modules = withSystemModules ./hosts/marpa/configuration.nix;
       };
       tilo = nixpkgs.lib.nixosSystem {
-        specialArgs = {inherit inputs outputs;};
-        modules = [
-          ./hosts/tilo/configuration.nix
-          inputs.sops-nix.nixosModules.sops
-        ];
+        inherit specialArgs;
+        modules = withSystemModules ./hosts/tilo/configuration.nix;
       };
     };
   };

hosts/alys/configuration.nix

@@ -0,0 +1,41 @@
+{inputs, ...}: {
+  imports = [
+    ./hardware-configuration.nix
+    inputs.home-manager.nixosModules.default
+    ../../system
+  ];
+
+  mySystem = {
+    boot = {
+      kernel.hardened = true;
+      systemd-boot = false;
+      zram = {
+        enable = true;
+        memoryMax = 512;
+      };
+    };
+    dev.docker.enable = true;
+    networking = {
+      hostname = "alys";
+      domain = "phundrak.com";
+      id = "41157110";
+    };
+    packages.nix = {
+      gc.automatic = true;
+      trusted-users = ["root" "phundrak"];
+    };
+    services = {
+      endlessh.enable = true;
+      ssh = {
+        enable = true;
+        allowedUsers = ["phundrak"];
+        passwordAuthentication = false;
+      };
+    };
+    users = {
+      root.disablePassword = true;
+      phundrak.enable = true;
+    };
+  };
+  system.stateVersion = "23.11";
+}

hosts/alys/hardware-configuration.nix

@@ -0,0 +1,28 @@
+{
+  modulesPath,
+  lib,
+  ...
+}: {
+  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
+  boot = {
+    loader.grub = {
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+      device = "nodev";
+    };
+    initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi"];
+    initrd.kernelModules = ["nvme"];
+  };
+  fileSystems = {
+    "/" = {
+      device = "/dev/vda1";
+      fsType = "ext4";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/F137-8D01";
+      fsType = "vfat";
+    };
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/gampo/configuration.nix

@@ -1,6 +1,3 @@
-# Edit this configuration file to define what should be installed on
-# your system.  Help is available in the configuration.nix(5) man page
-# and in the NixOS manual (accessible by running ‘nixos-help’).
 {
   config,
   pkgs,
@@ -9,49 +6,74 @@
 }: {
   imports = [
     inputs.sops-nix.nixosModules.sops
-    ./system/hardware-configuration.nix
-    ./services.nix
-    ../../modules/system.nix
-    ../../modules/sops.nix
-    ../../modules/opentablet.nix
-    ../../programs/steam.nix
+    ./hardware-configuration.nix
+    ../../system
   ];
 
+  mySystem = {
+    boot = {
+      plymouth.enable = true;
+      kernel = {
+        cpuVendor = "intel";
+        package = pkgs.linuxPackages;
+        modules = ["i915"];
+      };
+      systemd-boot = true;
+    };
+    desktop = {
+      hyprland.enable = true;
+      xserver = {
+        enable = true;
+        de = "gnome";
+      };
+    };
+    dev.docker = {
+      enable = true;
+      podman.enable = true;
+      autoprune.enable = true;
+    };
+    hardware = {
+      bluetooth.enable = true;
+      input = {
+        corne.allowHidAccess = true;
+        ibmTrackpoint.disable = true;
+        opentablet.enable = true;
+      };
+      sound.enable = true;
+    };
+    misc.keymap = "fr-bepo";
+    networking = {
+      hostname = "gampo";
+      id = "0630b33f";
+      hostFiles = [config.sops.secrets.extraHosts.path];
+    };
+    packages = {
+      appimage.enable = true;
+      flatpak.enable = true;
+      nix = {
+        nix-ld.enable = true;
+        trusted-users = ["root" "phundrak"];
+      };
+    };
+    programs.steam.enable = true;
+    services = {
+      fwupd.enable = true;
+      ssh.enable = true;
+    };
+    users = {
+      root.disablePassword = true;
+      phundrak.enable = true;
+    };
+  };
+
   sops.secrets.extraHosts = {
     inherit (config.users.users.root) group;
     owner = config.users.users.phundrak.name;
     mode = "0440";
   };
 
-  boot.initrd.kernelModules = ["i915"];
-
-  system = {
-    boot.plymouth.enable = true;
-    docker = {
-      enable = true;
-      autoprune.enable = true;
-      podman.enable = true;
-    };
-    networking = {
-      hostname = "gampo";
-      id = "0630b33f";
-      hostFiles = [config.sops.secrets.extraHosts.path];
-    };
-    sound.enable = true;
-  };
-
   security.rtkit.enable = true;
 
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
-  environment.systemPackages = with pkgs; [
-    curl
-    openssl
-    wget
-  ];
-
-  nix.settings.trusted-users = ["root" "phundrak"];
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database
   # versions on your system were taken. It‘s perfectly fine and

hosts/gampo/services.nix

@@ -1,15 +0,0 @@
-{
-  imports = [
-    ./services/gnome.nix
-  ];
-
-  services = {
-    # Enable CUPS to print documents.
-    printing.enable = true;
-    openssh.enable = true;
-    fwupd.enable = true;
-    udev.extraRules = ''
-      ATTRS{name}=="*TPPS/2 IBM TrackPoint", ENV{ID_INPUT}="", ENV{ID_INPUT_MOUSE}="", ENV{ID_INPUT_POINTINGSTICK}=""
-    '';
-  };
-}

hosts/gampo/services/gnome.nix

@@ -1,11 +0,0 @@
-{
-  services.xserver = {
-    enable = true;
-    displayManager.gdm.enable = true;
-    desktopManager.gnome.enable = true;
-    xkb = {
-      layout = "fr";
-      variant = "bepo";
-    };
-  };
-}

hosts/marpa/configuration.nix

@@ -1,41 +1,84 @@
 {
   config,
-  pkgs,
   inputs,
   ...
 }: {
   imports = [
     inputs.sops-nix.nixosModules.sops
-    ./system/hardware-configuration.nix
-    ./services.nix
-    ../../modules/system.nix
-    ../../modules/sops.nix
-    ../../modules/opentablet.nix
-    ../../programs/flatpak.nix
-    ../../programs/steam.nix
+    ./hardware-configuration.nix
+    ../../system
   ];
 
-  sops.secrets.extraHosts = {
-    inherit (config.users.users.root) group;
-    owner = config.users.users.phundrak.name;
-    mode = "0440";
-  };
-
-  security.polkit.enable = true;
-
-  fileSystems."/games" = {
-    device = "/dev/disk/by-uuid/77d32db8-2e85-4593-b6b8-55d4f9d14e1a";
-    fsType = "ext4";
-  };
-
-  system = {
-    amdgpu.enable = true;
-    boot.plymouth.enable = true;
-    docker = {
-      enable = true;
-      podman.enable = true;
-      autoprune.enable = true;
+  fileSystems = {
+    "/home".options = [
+      "compress=zstd:3" # Good balance of compression vs speed
+      "space_cache=v2" # Better performance
+      "noatime" # Don't update access times (less writes)
+    ];
+    "/mnt/ai" = {
+      device = "/dev/disk/by-uuid/47e87286-caaa-4e43-b2fd-b9eceac90fe9";
+      fsType = "btrfs";
+      options = [
+        "compress=zstd:3" # Good balance of compression vs speed
+        "space_cache=v2" # Better performance
+        "noatime" # Don't update access times (less writes)
+      ];
     };
+    "/mnt/games" = {
+      device = "/dev/disk/by-uuid/a8453133-76dc-44bd-a825-444c3305fd9b";
+      fsType = "btrfs";
+      options = [
+        "compress=zstd:3" # Good balance of compression vs speed
+        "space_cache=v2" # Better performance
+        "noatime" # Don't update access times (less writes)
+      ];
+    };
+    "/games" = {
+      device = "/dev/disk/by-uuid/77d32db8-2e85-4593-b6b8-55d4f9d14e1a";
+      fsType = "ext4";
+    };
+  };
+
+  mySystem = {
+    boot = {
+      extraModprobeConfig = ''
+        options snd_usb_audio vid=0x1235 pid=0x8212 device_setup=1
+      '';
+      plymouth.enable = true;
+      kernel.cpuVendor = "amd";
+      systemd-boot = true;
+    };
+    desktop = {
+      hyprland.enable = true;
+      niri.enable = true;
+      waydroid.enable = true;
+      xserver = {
+        enable = true;
+        de = "gnome";
+      };
+    };
+    dev = {
+      docker = {
+        enable = true;
+        podman.enable = true;
+        autoprune.enable = true;
+      };
+      qemu.enable = true;
+    };
+    hardware = {
+      amdgpu.enable = true;
+      bluetooth.enable = true;
+      input = {
+        corne.allowHidAccess = true;
+        opentablet.enable = true;
+      };
+      sound = {
+        enable = true;
+        jack = true;
+        scarlett.enable = true;
+      };
+    };
+    misc.keymap = "fr-bepo";
     networking = {
       hostname = "marpa";
       id = "7EA4A111";
@@ -48,25 +91,46 @@
         }
       ];
     };
-    sound = {
-      enable = true;
-      jack = true;
+    packages = {
+      appimage.enable = true;
+      flatpak.enable = true;
+      nix = {
+        nix-ld.enable = true;
+        trusted-users = ["root" "phundrak"];
+      };
+    };
+    programs.steam.enable = true;
+    services = {
+      fwupd.enable = true;
+      printing.enable = true;
+      ssh.enable = true;
+      sunshine = {
+        enable = true;
+        autostart = true;
+      };
+      languagetool.enable = true;
+    };
+    users = {
+      root.disablePassword = true;
+      phundrak.enable = true;
     };
   };
 
-  security.rtkit.enable = true;
+  sops.secrets.extraHosts = {
+    inherit (config.users.users.root) group;
+    owner = config.users.users.phundrak.name;
+    mode = "0440";
+  };
 
-  nix.settings.trusted-users = ["root" "phundrak"];
-  nixpkgs.config.allowUnfree = true;
+  services.udev.extraHwdb = ''
+    mouse:usb:047d:80a6:*
+     LIBINPUT_MIDDLE_EMULATION_ENABLED=1
+  '';
 
-  environment.systemPackages = with pkgs; [
-    clinfo # AMD
-    curl
-    openssl
-    wget
-  ];
-
-  programs.nix-ld.enable = true;
+  security = {
+    polkit.enable = true;
+    rtkit.enable = true;
+  };
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions

hosts/marpa/services.nix

@@ -1,23 +0,0 @@
-{
-  imports = [
-    ../../modules/ssh.nix
-    ../../modules/sunshine.nix
-    ../../modules/xserver.nix
-  ];
-
-  modules = {
-    xserver = {
-      amdgpu.enable = true;
-      de = "gnome";
-    };
-    sunshine = {
-      enable = true;
-      autostart = true;
-    };
-  };
-  services = {
-    printing.enable = true;
-    openssh.enable = true;
-    fwupd.enable = true;
-  };
-}

hosts/marpa/services/default.nix

@@ -0,0 +1,24 @@
+{
+  # imports = [
+  #   ./logind.nix
+  #   ../../../system
+  # ];
+  # imports = [
+  #   ./logind.nix
+  #   ../../../modules/ssh.nix
+  #   ../../../modules/sunshine.nix
+  # ];
+
+  # modules = {
+  #   sunshine = {
+  #     enable = true;
+  #     autostart = true;
+  #   };
+  # };
+  # services = {
+  #   blueman.enable = true;
+  #   fwupd.enable = true;
+  #   printing.enable = true;
+  #   openssh.enable = true;
+  # };
+}

hosts/marpa/services/logind.nix

@@ -0,0 +1,6 @@
+{
+  services.logind = {
+    powerKey = "ignore";
+    powerKeyLongPress = "ignore";
+  };
+}

hosts/tilo/configuration.nix

@@ -1,23 +1,15 @@
 # Edit this configuration file to define what should be installed on your
 # system.  Help is available in the configuration.nix(5) man page and in
 # the NixOS manual (accessible by running ‘nixos-help’).
-{
-  pkgs,
-  inputs,
-  ...
-}: {
+{inputs, ...}: {
   imports = [
     ./hardware-configuration.nix
     inputs.home-manager.nixosModules.default
-    ../../modules/locale.nix
-    ../../modules/system.nix
-    ../../modules/ssh.nix
-    ../../modules/endlessh.nix
-    ../../programs/nano.nix
+    ../../system
+    ./services
   ];
 
-  system = {
-    amdgpu.enable = false;
+  mySystem = {
     boot = {
       kernel = {
         hardened = true;
@@ -28,51 +20,43 @@
         pools = ["tank"];
       };
     };
-    docker.enable = true;
+    dev.docker.enable = true;
+    misc.keymap = "fr-bepo";
     networking = {
       hostname = "tilo";
       id = "7110b33f";
       firewall = {
         openPorts = [
-          22 # SSH
           80 # HTTP
           443 # HTTPS
-          2222 # endlessh
           25565 # Minecraft
         ];
-        extraCommands = ''
-          iptables -I INPUT 1 -i 172.16.0.0/12 -p tcp -d 172.17.0.1 -j ACCEPT
-          iptables -I INPUT 1 -i 172.16.0.0/12 -p tcp -d 172.17.0.1 -j ACCEPT
-        '';
       };
     };
-    nix.gc.automatic = true;
-    sound.enable = false;
+    packages.nix = {
+      gc.automatic = true;
+      trusted-users = ["root" "phundrak"];
+    };
+    services = {
+      calibre.enable = true;
+      endlessh.enable = true;
+      jellyfin.enable = true;
+      plex = {
+        enable = true;
+        dataDir = "/tank/web/stacks/plex/plex-config";
+      };
+      ssh = {
+        enable = true;
+        allowedUsers = ["phundrak"];
+        passwordAuthentication = false;
+      };
+    };
     users = {
       root.disablePassword = true;
-      phundrak = true;
+      phundrak.enable = true;
     };
-    console.keyMap = "fr-bepo";
   };
 
-  modules = {
-    ssh = {
-      enable = true;
-      allowedUsers = ["phundrak"];
-      passwordAuthentication = false;
-    };
-    endlessh.enable = true;
-  };
-
-  nixpkgs.config.allowUnfree = true;
-
-  environment.systemPackages = [pkgs.openssl];
-
-  # imports = [
-  #   # Include the results of the hardware scan.
-  #   ./services.nix
-  # ];
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

hosts/tilo/services/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [./nextcloud-cron.nix];
+}

hosts/tilo/services/nextcloud-cron.nix

@@ -0,0 +1,33 @@
+{pkgs, ...}: {
+  systemd = {
+    timers."nextcloud-cron" = {
+      wantedBy = ["timers.target"];
+      timerConfig = {
+        OnBootSec = "20m";
+        OnUnitActiveSec = "20m";
+        Unit = "nextcloud-cron.service";
+      };
+    };
+    services."nextcloud-cron" = {
+      script = ''
+        CONTAINER_NAME="nextcloud-nextcloud-1"
+
+        is_container_running() {
+          ${pkgs.docker}/bin/docker inspect -f '{{.State.Running}}' "$CONTAINER_NAME" 2>/dev/null | grep -q "true"
+        }
+
+        while ! is_container_running; do
+            echo "Waiting for $CONTAINER_NAME to start..."
+            sleep 10
+        done
+
+        echo "$CONTAINER_NAME is running. Executing CRON job..."
+        ${pkgs.docker}/bin/docker exec -u www-data -it nextcloud-nextcloud-1 php /var/www/html/cron.php
+      '';
+      serviceConfig = {
+        Type = "oneshot";
+        User = "root";
+      };
+    };
+  };
+}

keys/id_alys.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTv1lb6d99O84jeh6GdjPm8Gnt/HncSRhGhmoTq7BMK lucien@phundrak.com

modules/amdgpu.nix

@@ -1,17 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}:
-with lib; let
-  cfg = config.modules.amdgpu;
-in {
-  options.modules.amdgpu.enable = mkEnableOption "Enables an AMD GPU configuration";
-  config = mkIf cfg.enable {
-    systemd.tmpfiles.rules = [
-      "L+    /opt/rocm/hip   -    -    -     -    ${pkgs.rocmPackages.clr}"
-    ];
-    hardware.graphics.extraPackages = with pkgs; [rocmPackages.clr.icd];
-  };
-}

modules/opentablet.nix

@@ -1,6 +0,0 @@
-{
-  hardware.opentabletdriver = {
-    enable = true;
-    daemon.enable = true;
-  };
-}

modules/sunshine.nix

@@ -1,22 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
-  cfg = config.modules.sunshine;
-in {
-  options.modules.sunshine = {
-    enable = mkEnableOption "Enables moonlight";
-    autostart = mkEnableOption "Enables autostart";
-  };
-  config.services.sunshine = mkIf cfg.enable {
-    enable = true;
-    autoStart = cfg.autostart;
-    capSysAdmin = true;
-    openFirewall = true;
-    settings = {
-      sunshine_name = "marpa";
-    };
-  };
-}

modules/system.nix

@@ -1,171 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}:
-with lib; let
-  cfg = config.system;
-in {
-  imports = [
-    ./amdgpu.nix
-    ./boot.nix
-    ./locale.nix
-    ./networking.nix
-    ./nix.nix
-    ./plymouth.nix
-    ./sound.nix
-    ./users.nix
-    ./dev/docker.nix
-  ];
-
-  options.system = {
-    amdgpu.enable = mkEnableOption "Enables AMD GPU support";
-    boot = {
-      kernel = {
-        package = mkOption {
-          type = types.raw;
-          default = pkgs.linuxPackages_zen;
-        };
-        modules = mkOption {
-          type = types.listOf types.str;
-          default = [];
-        };
-        cpuVendor = mkOption {
-          description = "Intel or AMD?";
-          type = types.enum ["intel" "amd"];
-          default = "amd";
-        };
-        v4l2loopback = mkOption {
-          description = "Enables v4l2loopback";
-          type = types.bool;
-          default = true;
-        };
-        hardened = mkEnableOption "Enables hardened Linux kernel";
-      };
-      plymouth.enable = mkEnableOption "Enables Plymouth";
-      zfs = {
-        enable = mkEnableOption "Enables ZFS";
-        pools = mkOption {
-          type = types.listOf types.str;
-          default = [];
-        };
-      };
-    };
-    docker = {
-      enable = mkEnableOption "Enable Docker";
-      podman.enable = mkEnableOption "Enable Podman rather than Docker";
-      nvidia.enable = mkEnableOption "Activate Nvidia support";
-      autoprune.enable = mkEnableOption "Enable autoprune";
-    };
-    networking = {
-      hostname = mkOption {
-        type = types.str;
-        example = "gampo";
-      };
-      id = mkOption {
-        type = types.str;
-        example = "deadb33f";
-      };
-      hostFiles = mkOption {
-        type = types.listOf types.path;
-        example = [/path/to/hostFile];
-        default = [];
-      };
-      firewall = {
-        openPorts = mkOption {
-          type = types.listOf types.int;
-          example = [22 80 443];
-          default = [];
-        };
-        openPortRanges = mkOption {
-          type = types.listOf (types.attrsOf types.port);
-          default = [];
-          example = [
-            {
-              from = 8080;
-              to = 8082;
-            }
-          ];
-          description = ''
-            A range of TCP and UDP ports on which incoming connections are
-            accepted.
-          '';
-        };
-        extraCommands = mkOption {
-          type = types.nullOr types.lines;
-          example = "iptables -A INPUTS -p icmp -j ACCEPT";
-          default = null;
-        };
-      };
-    };
-    nix = {
-      disableSandbox = mkOption {
-        type = types.bool;
-        default = false;
-      };
-      gc = {
-        automatic = mkOption {
-          type = types.bool;
-          default = true;
-        };
-        dates = mkOption {
-          type = types.str;
-          default = "Monday 01:00 UTC";
-        };
-        options = mkOption {
-          type = types.str;
-          default = "--delete-older-than 30d";
-        };
-      };
-    };
-    sound = {
-      enable = mkEnableOption "Whether to enable sounds with Pipewire";
-      alsa = mkOption {
-        type = types.bool;
-        example = true;
-        default = true;
-        description = "Whether to enable ALSA support with Pipewire";
-      };
-      jack = mkOption {
-        type = types.bool;
-        example = true;
-        default = false;
-        description = "Whether to enable JACK support with Pipewire";
-      };
-      package = mkOption {
-        type = types.package;
-        example = pkgs.pulseaudio;
-        default = pkgs.pulseaudioFull;
-        description = "Which base package to use for PulseAudio";
-      };
-    };
-    users = {
-      root.disablePassword = mkEnableOption "Disables root password";
-      phundrak = mkOption {
-        type = types.bool;
-        default = true;
-      };
-    };
-    timezone = mkOption {
-      type = types.str;
-      default = "Europe/Paris";
-    };
-    console.keyMap = mkOption {
-      type = types.str;
-      default = "fr";
-    };
-  };
-
-  config = {
-    time.timeZone = cfg.timezone;
-    console.keyMap = cfg.console.keyMap;
-    modules = {
-      boot = {
-        inherit (cfg) amdgpu;
-        inherit (cfg.boot) kernel plymouth zfs;
-      };
-      inherit (cfg) sound users networking docker amdgpu;
-    };
-  };
-}

programs/flatpak.nix

@@ -1,3 +0,0 @@
-{
-  services.flatpak.enable = true;
-}

programs/hyprland.nix

@@ -1,49 +0,0 @@
-{
-  config,
-  lib,
-  ...
-}:
-with lib; let
-  cfg = config.modules.hyprland;
-in {
-  options.modules.hyprland = {
-    enable = mkEnableOption "Enables Hyprland";
-    config = mkOption {
-      type = types.lines;
-      default = "";
-    };
-    waybar = {
-      config = mkOption {
-        type = types.lines;
-        default = "";
-      };
-      style = mkOption {
-        type = types.nullOr types.path;
-        default = null;
-      };
-    };
-  };
-
-  config = {
-    wayland.windowManager.hyprland = mkIf cfg.enable {
-      enable = true;
-      xwayland.enable = true;
-      systemd.enable = true;
-      extraConfig = cfg.config;
-    };
-    services.wpaperd = {
-      enable = true;
-      settings = ''
-        [default]
-        path = "/home/phundrak/Pictures/Wallpapers/nord"
-        duration = "5m"
-        sorting = "ascending"
-      '';
-    };
-    programs.waybar = {
-      enable = true;
-      inherit (cfg.waybar) config style;
-      systemd.enableInspect = true;
-    };
-  };
-}

programs/steam.nix

@@ -1,21 +0,0 @@
-{pkgs, ...}: {
-  programs = {
-    steam = {
-      enable = true;
-      protontricks.enable = true;
-      remotePlay.openFirewall = true;
-      localNetworkGameTransfers.openFirewall = true;
-      gamescopeSession.enable = true;
-      extraCompatPackages = [pkgs.proton-ge-bin];
-    };
-    gamescope = {
-      enable = true;
-      capSysNice = true;
-      args = [
-        "--rt"
-        "--expose-wayland"
-      ];
-    };
-  };
-  hardware.steam-hardware.enable = true;
-}

secrets/secrets.yaml

@@ -1,10 +1,10 @@
-extraHosts: ENC[AES256_GCM,data:nuEU+Tlj9BBEO/459B7u74WEdlDmvn3coWkk3JG5uqWXR1G4tk6H8EvQAY/xAuqcM01T4psaeqQTxZA+U626zMQ++vOsYwI8cch8m0xIkKKJ3Ztyqeip8egK2xPywdJp69Z5XhweF3RlxPBTroMcCoqHG0rFQmPuwaWrM/DJ6HQBGqKA3wmaYXAC4OLFVGNzLNLfWD85PAxK1YTJnClaerFdwsxm9tq+HNg7zEnOUVyQjm2l16MKkV1kybddNFc6SKHmm2e/XYNQ85eRm1ALq1v1WRPLaa87MsPLM6svwNy5hEMX+AQKfGBL4hLUKOw+yPktfSnGhj8uDO6IUTjySzkgdYIu37E8ozN8CZ2m+5wYDjf1NU34/yUo2p3RZISuy52qEhGE0jsIeDiC6KMPs6/dHKpxbkRVhe7ZWpZvee7dhWyAkW4lk+MA1p3OklCBdTn8JcrAlVcKf0n1+XyK5ua0q5ja6UKg1Q5Y1LGFPInt+styJ65HdvqBcdLiG7DCQYHGpWGIeSNglbAKPMCeBCablN/2gLLYOK08RXwwSAj1V5lCXAKoc3FfnX73ELRelzLwE2MNJZCn0DqnqP0vOnzXM9ftWVODCjcIEmLUX+CL7hBNLrWcp+Q3ALQcSZsAVejpP8Iajo85R/Hc+2OtqfXijoJNacaMgKCX/5ZWOFEwNUdto3xSRQXu2Ck//F4F/0Ez6yqOFux1byjdyHDbGGdFz02DTZUkOtsPVssyqz1nEHepDQM0EmAAxAR6D8hHOnZGesfqbS+5Xd3+KlfxyFC2mHDxK4WZPCHTAEsenWEiQTGfaOT+1bpbimRfUcqiRXukSUeHY2cKf/reNw0MT7t5n1mvidihP3sJuc573ViUlG+Ts8ctyZ/+tKU2aCMz3wevPzZNiIVqXsB2lC8c,iv:MnbM30XhdQFOPmc4x/a7YaDmnCDCFHS2Nm8plh+raSo=,tag:SpHUqyeSVdtf8uk4SyjmOA==,type:str]
+extraHosts: ENC[AES256_GCM,data:i2B5DEjVm7P0V77oVzGIgU08dcpmxy8EgoJz4nPuhfpOBZI1BQpRTOOoSVRZzY6SNpLQCcNDVCwvuhtS12w7NAgIFvBhSigzwJVaWZiC78qTjXanbjSW6fvT1SQqb+YOD+4qkpuuxT5pdBKkyHZvjGM6elyA0K6JzpiCE33+Ag/4SIFTyDrdhJN2HQule54aBDVObg5s7zmPnDo9bCX0XXXCbFpdOfJMKI+89c+Gfm0dJrnDwHcks3p1ZrrSfLn3NhC+Rryc8FHMCtw936WKv+TcP124XGYxXrdEFKngB/pJLhUZlzDeC4v33xtPemOdQrK7vGjO0YZ7WBbO5oXvHw6R1pqC7iMDWjKQBbPit8IB3rngXeMOPEHxbEp1W0MEHbp3bg4GH/SAnxKkfeAFxhMNMBolO12KTntaLCurTSKXhXCIn9SSxFcoWK6kIeo6cpejcHdqGbtV8eL3znZ+MXzvEDRwiy5Sofxa31aAoItwX7kK1YHbpMT95jfr8rKc4yR7tkJWmJkmU494x/lhLkyQbXj25cNcJE7v+hLtQkJ1gdHRgYxYJFxG+VbroSS5HjkRvameuLMfk5dHxg+0bifXEV1FjhKtZqM5JQNEFOHUzvrs5u8m3NKNr13onuT5soh3GKAlh8AMX7p5Etud0BpQPdU7HT5WXRyuP7JMZL5wsjRsGWRxnQaQbnV6qg1b1JP25b6iRj0DFHZJeIEEOU20wDwDQDCoXzJS8vlMbZOC0W9/NVWgwz+UAWQz/yxzRGbconWr6zUhvwcwYBtDhYb6KD0GFxn6yfB/zfMvRHZz8AFF4w00Bx4F2L3nvF4lltnkHkdy9Qql6RsshsVFpPjrhzCrABFBrP0js1OCRw==,iv:Mx7LgF/1z/aZtyvIYafELx2tg2VZ3wTpV0zI04DLxU0=,tag:ZZImkH5/6atDOIzaXJC0Bg==,type:str]
 mopidy:
     spotify: ENC[AES256_GCM,data:SaDT0iSWhsgVOi1s+Nzbr0Mur3t2Zd9z/KIUshGWtbPfkXXIoiJeJFtoZIz5NL/t5FooYsNfU1mGYgDeVYSD4BPibW8hiCYrX6L6OX+Q6ZEWXXx/1eBEs2/q0BrWGvy7frcurq/Px4R3ax0dXJe/YKbpAtU7+bQl,iv:F2zT+uMVBMnSEZqgcRmV8/fc3G/g2fKDuHuBzkyBRN0=,tag:CD8fuOQfe6QCrj4BUh0/xw==,type:str]
     bandcamp: ENC[AES256_GCM,data:diEx2fbkOR1oUav81jU5bNt/KNmbOaVzLV+G3zBUVXE7nEQpZNqVom0rgNrEVDGzH3u/IaA5eqG5ce9lE0BomeY8Z4MWI1xujhX5KsXdv21aw4UwsNgyLPuWhkN2POUMfCJlvekc/TFfFvJHyysx8aKxeI4dsg==,iv:cxx0cVkjOPG+hMD8JctJHdcICJt7ozpfRBVSCDBo6Ro=,tag:JRjwwvieGaGZJ+k56HWFaw==,type:str]
 emailPassword: ENC[AES256_GCM,data:LALAvyuNN9bfa8D6ZK1YiFXRfxLOBi9kXA0N0Kr7h18eAI4hWQ==,iv:WtidILFfWCMKylax52JP+X57GfZyYlxJtiwrC6SADik=,tag:NvOrsL3fbmxQZp06GZhUZA==,type:str]
 ssh:
-    hosts: ENC[AES256_GCM,data:jLLehzuBuBh22ZukRlqjQJNBg0ri8go58SJfs4GjNqNdvI/H0NWRS0apqLPzERkbpPipex3kUiFIc6BH+usSSpfh/MWico8qZDKVD7Ekx6F8k45I2Pq+mbLsMEo3XfjcnfYgDWn2I7/jyidBsvA+m9VnjU8/Cnk5O/YeIZQRvfOZ4xc8zw7C/vqmxsNi2KZr+2N23L+eetoKM4J6AigmINH41wAL3/RlB0oCpjSHSkbp7Glu2LlyJygS52p9m5pq4QBXtoiu5AJ6qG17LrypmDjfxE2zU2R3Zu6VLbs4zWQY2+W36j33Fm5nMkMMPJAEdRR27HPxM2EAEuH4OI1Jbup669sln9nJxnO2zYveplNPsAb3a16D4L9rwSzUd1s2W+NlqBSYdyAktuvtPWf1vAg9+Fob9jUgUFGTQpNF8Xj1n+DqvXlLQknsB/7EhNSSnYyQS36wHF9KBHJwexpYbhnGiMuLjN6KXbr/YYawocSA/5o8s6X/tRXKMkXtZjoEsyr1aNMj+4gSHaSUOG78r3VwAHLOXNez67xFpKMa/IQfQhj2Zng8142hhL4hPyNtuTOK3oVvPjZtAfbfxesUi+Zx2VhaJsnmj6J4gAOWU9nVpol67V0hNSD4LMUOZwwPst11IyJsXjkKKY0iy7ykFMTk6KalkVUqlYOmQRIXtBE9sD4esC+FGH1ONi3n0tbG7YivmV3YSmxk0RvQ/YlKGOchKpPH/bzN/X+NZh6A3Uk5uDsqU+GOjfDY2yIgetw4FAQ42YMxNmTJjq6MpcaETb5eQm8wee4QaVODocXHyknfWs6FYGNUjQpYp3+zxKJovHuKQcFgug3t8Si5hKnQz6KDZNaoDE0UMBR2ABbAX1Bcvu0lLHzaPXpGfXyoAe+B3MwF9/TTVkCNNYhNKm63P7qUuIbKLLCDXH6e4y5YiIF8Sl9jF/kR8v8MbLgrAROx8NlTm5CqNhQWOPQQyQXvXEl5hwHyF9ptrXUB9wIe,iv:6Lzbf+DBTfaZj7NhTJ07dVPuaViP61V4N2QHPTEFzMQ=,tag:8t4c0DJmAwg/0qRLBW4vCQ==,type:str]
+    hosts: ENC[AES256_GCM,data:nuMA50lZVxi/b2Y95Om00DIXkfHV+5epXzgFJTUk1r78y71/q/1wDa0bb9bqaMhElivDrX2mzS7IplLqLry43VkGAiE00WrdT7pLM+NSDtm7VV3kake7qorkpydxczHeVg5VP/b1FMzpQ1gFoAVg6iY9tYBnfTa5MdQI3ktQBRYWU5XmVMFNquTBG10wOKxgTUdkh6smcYmU5YlDUdeM6gTt9QPSHlglOGCe/w3tuXOWkBNcNtNiwQoaKTwIkhisu8R6h/qwtOBBt0wEpOv+KtdYQ0Y9o7/KiN2mG24+/mASfAYTAhifSnCY0vDe145gkrQzFttzZDI6l4OgjYF9rIsP+hKwUChGObW90HVVKQbJ8oDoG+l9L+IxLxs8v/v1690Xtra+PPvZCgGqhXqpoqBL/OgNdR26p/G8Oid81Nb0ob8DstYLjYlcg7ZjPiruMtRwhKoa4z++pe+poepGAPHdKkLvAvzFUKwcqRfR7RNgNgZR8hFAe7Tg5m3ApF+koGWjcoKCyALgc/hP6LTBmiJuj6OySFl1cTtkKHPsYXa49St+lOB32MXCH2ysAI6860ZcJqpAFTQ1Yd2XYu+Xrbxcm381mE02Tw20+VP2OPyEYt+ida2TKAzM3aXiMGTRpSkwzkKXsRoBskVQxv3z+6c+w87I9ZmoZHqHM7dWcRAuj2bT2ZWeExPyEmUFczMjCcFFEepnlKWOYmkUZmjDfqZ1mtR3bBK271AnVHakS5jajbhhyu6VDMLYIQmBPDFpZnyCE2qgb9FbXBbqoq+qc/9w+7gCdXNnb1tDdiJ8E4k7no6oU5jrRMGHNX3UOMDs/Y9NS0vPsnqBpr7Pf+H6bxncXWoaimijoi1OxvUFMbRvT5uUgP/JNDZDGBhlY3zRiUnDhTuHF5vP8wisqsba7zwpoqIchI3hbxm+lWXt09ZTnR2A1uR3DTlEEjGUMpD5K5CWkgTalgaHYI9jh9n66rYop9evlngZlg5Cth/Lieh/34fcIUzHAQMbxUKqoRU9zHHQJ51AZIovTtegXmgPmQ8fw6F3uBQ5gg+T1CiaCqs5nUd9ERM=,iv:DNg2EEPmylLf2CqR9eqJYzngGizTraPNImIGTJwl8kI=,tag:StZ6H+1ec/i0l94Cv+AhOA==,type:str]
 sops:
     age:
         - recipient: age1ajemtm502nn2n4q7v4j8meyd5mxtcqngkkedxq2pqzuwu78zp93qnw8q48
@@ -61,7 +61,7 @@ sops:
             QmJKNDJUY0RSakhwNWlkOVpib0trc1kK0tQxD9I82pjfs54eruu+IjzVUmcVBCPw
             9mp1xKiYRRMXt3YQn6MPiyuuX3l3UB5MH0RJMNtRq0D961rs+iiS5A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-04T01:05:13Z"
-    mac: ENC[AES256_GCM,data:/wuo0bg48xlbP074JJ0rtmclWMG9vjlJnWjJnUaz45m+Gqj4IzA5ctSZdNnFTb7/CXkynJdFHme4/Nz8I/6+zzTFBeo/nVw43s1n0XmMqVYb2U/FTikvCMowHNnfMTY5Q83jD1MtE3XsRSCzxe649D4Zbcja8XG42v5rOt3geMA=,iv:n/yFp5f+LK8JaikifjRuieNtmcazl2VNz8rIzbvgBO8=,tag:Fs4+St1lxMn+VdEoP+Eo8g==,type:str]
+    lastmodified: "2025-11-28T12:26:45Z"
+    mac: ENC[AES256_GCM,data:T4/aWHN9ILjaI1WAyO8VUQz87H0dmWjC3E6WnlNaRmTr5kDgpm6nYJHFGnrEEFUTPzAGluMTJzC3Sji6CqLKX7opOUtoDgUqiNHgz0oz7B28+RFGqxspo3IoCM4lJNrKBkZHnrKJFPUooYKc8aNm/goWWHQ/dL2uQ46Hvx9zK+o=,iv:Xq5XcYxkBCWMLFCgCYmkPgwBWMXpLFBPZY3iTTnXRcs=,tag:ZAPZAAv+qy4BM47aCgK89g==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

system/boot/boot.nix

@@ -5,10 +5,16 @@
   ...
 }:
 with lib; let
-  cfg = config.modules.boot;
+  cfg = config.mySystem.boot;
 in {
-  options.modules.boot = {
-    amdgpu.enable = mkEnableOption "Enables an AMD GPU configuration";
+  options.mySystem.boot = {
+    extraModprobeConfig = mkOption {
+      type = types.lines;
+      default = "";
+      example = ''
+        options snd_usb_audio vid=0x1235 pid=0x8212 device_setup=1
+      '';
+    };
     kernel = {
       package = mkOption {
         type = types.raw;
@@ -30,6 +36,11 @@ in {
       };
       hardened = mkEnableOption "Enables hardened Linux kernel";
     };
+    systemd-boot = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Does the system use systemd-boot?";
+    };
     zfs = {
       enable = mkEnableOption "Enables ZFS";
       pools = mkOption {
@@ -40,10 +51,10 @@ in {
   };
 
   config.boot = {
-    initrd.kernelModules = lists.optional cfg.amdgpu.enable "amdgpu";
+    initrd.kernelModules = lists.optional config.mySystem.hardware.amdgpu.enable "amdgpu";
     loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
+      systemd-boot.enable = cfg.systemd-boot;
+      efi.canTouchEfiVariables = cfg.systemd-boot;
     };
     supportedFilesystems = mkIf cfg.zfs.enable ["zfs"];
     zfs.extraPools = mkIf cfg.zfs.enable cfg.zfs.pools;

system/boot/default.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./boot.nix
+    ./plymouth.nix
+    ./zram.nix
+  ];
+}

system/boot/plymouth.nix

@@ -5,9 +5,9 @@
   ...
 }:
 with lib; let
-  cfg = config.modules.boot.plymouth;
+  cfg = config.mySystem.boot.plymouth;
 in {
-  options.modules.boot.plymouth.enable = mkEnableOption "Enables Plymouth at system boot";
+  options.mySystem.boot.plymouth.enable = mkEnableOption "Enables Plymouth at system boot";
   config.boot = mkIf cfg.enable {
     plymouth = {
       inherit (cfg) enable;

system/boot/zram.nix

@@ -0,0 +1,21 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.boot.zram;
+in {
+  options.mySystem.boot.zram = {
+    enable = mkEnableOption "Enable ZRAM";
+    memoryMax = mkOption {
+      type = types.int;
+      example = "512";
+      description = "Maximum size allocated to ZRAM in MiB";
+    };
+  };
+  config.zramSwap = mkIf cfg.enable {
+    inherit (cfg) enable;
+    memoryMax = cfg.memoryMax * 1024 * 1024;
+  };
+}

system/default.nix

@@ -0,0 +1,44 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.misc;
+in {
+  imports = [
+    ./boot
+    ./desktop
+    ./dev
+    ./hardware
+    ./i18n
+    ./network
+    ./packages
+    ./security
+    ./services
+    ./users
+  ];
+
+  options.mySystem.misc = {
+    timezone = mkOption {
+      type = types.str;
+      default = "Europe/Paris";
+    };
+    keymap = mkOption {
+      type = types.str;
+      default = "fr";
+      example = "fr-bepo";
+      description = "Keymap to use in the TTY console";
+    };
+  };
+
+  config = {
+    boot.tmp.cleanOnBoot = true;
+    time.timeZone = cfg.timezone;
+    console.keyMap = cfg.keymap;
+    services = {
+      orca.enable = false;
+      envfs.enable = true;
+    };
+  };
+}

system/desktop/default.nix

@@ -0,0 +1,8 @@
+{
+  imports = [
+    ./hyprland.nix
+    ./niri.nix
+    ./waydroid.nix
+    ./xserver.nix
+  ];
+}

system/desktop/hyprland.nix

@@ -0,0 +1,14 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.desktop.hyprland;
+in {
+  options.mySystem.desktop.hyprland.enable = mkEnableOption "Enables Hyprland";
+  config.programs.hyprland = mkIf cfg.enable {
+    inherit (cfg) enable;
+    withUWSM = true;
+  };
+}

system/desktop/niri.nix

@@ -0,0 +1,13 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.desktop.niri;
+in {
+  options.mySystem.desktop.niri.enable = mkEnableOption "Enables Niri";
+  config.programs.niri = mkIf cfg.enable {
+    inherit (cfg) enable;
+  };
+}

system/desktop/waydroid.nix

@@ -0,0 +1,15 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.desktop.waydroid;
+in {
+  options.mySystem.desktop.waydroid.enable = mkEnableOption "Enables Waydroid";
+  config = mkIf cfg.enable {
+    virtualisation.waydroid.enable = cfg.enable;
+    environment.systemPackages = [pkgs.waydroid-helper];
+  };
+}

system/desktop/xserver.nix

@@ -4,10 +4,10 @@
   ...
 }:
 with lib; let
-  cfg = config.modules.xserver;
+  cfg = config.mySystem.desktop.xserver;
 in {
-  options.modules.xserver = {
-    amdgpu.enable = mkEnableOption "Enables AMD GPU support";
+  options.mySystem.desktop.xserver = {
+    enable = mkEnableOption "Enables xserver";
     de = mkOption {
       type = types.enum ["gnome" "kde"];
       default = "gnome";
@@ -15,9 +15,15 @@ in {
       description = "Which DE to enable";
     };
   };
-  config.services = {
-    displayManager.sddm.enable = mkIf (cfg.de == "kde") true;
-    desktopManager.plasma6.enable = mkIf (cfg.de == "kde") true;
+  config.services = mkIf cfg.enable {
+    displayManager = {
+      sddm.enable = mkIf (cfg.de == "kde") true;
+      gdm.enable = mkIf (cfg.de == "gnome") true;
+    };
+    desktopManager = {
+      plasma6.enable = mkIf (cfg.de == "kde") true;
+      gnome.enable = mkIf (cfg.de == "gnome") true;
+    };
 
     gnome = mkIf (cfg.de == "gnome") {
       gnome-browser-connector.enable = true;
@@ -28,10 +34,8 @@ in {
     };
 
     xserver = {
-      enable = true;
-      displayManager.gdm.enable = mkIf (cfg.de == "gnome") true;
-      desktopManager.gnome.enable = mkIf (cfg.de == "gnome") true;
-      videoDrivers = lists.optional cfg.amdgpu.enable "amdgpu";
+      inherit (cfg) enable;
+      videoDrivers = lists.optional config.mySystem.hardware.amdgpu.enable "amdgpu";
       xkb = {
         layout = "fr";
         variant = "bepo_afnor";

system/dev/default.nix

@@ -0,0 +1,3 @@
+{
+  imports = [./docker.nix ./qemu.nix];
+}

system/dev/docker.nix

@@ -1,21 +1,31 @@
 {
   lib,
   config,
+  pkgs,
   ...
 }:
 with lib; let
-  cfg = config.modules.docker;
+  cfg = config.mySystem.dev.docker;
 in {
-  options.modules.docker = {
+  options.mySystem.dev.docker = {
     enable = mkEnableOption "Enable Docker";
     podman.enable = mkEnableOption "Enable Podman rather than Docker";
     nvidia.enable = mkEnableOption "Activate Nvidia support";
     autoprune.enable = mkEnableOption "Enable autoprune";
   };
 
-  config = {
-    virtualisation = {
-      docker = mkIf (cfg.enable && !cfg.podman.enable) {
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs;
+      [
+        dive # A tool for exploring each layer in a docker image
+        grype # Vulnerability scanner for container images and filesystems
+      ]
+      ++ lists.optionals cfg.podman.enable [
+        podman-compose
+        podman-desktop
+      ];
+    virtualisation = mkIf cfg.enable {
+      docker = mkIf (!cfg.podman.enable) {
         enable = true;
         enableNvidia = cfg.nvidia.enable;
         autoPrune.enable = cfg.autoprune.enable;

system/dev/qemu.nix

@@ -0,0 +1,33 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.dev.qemu;
+in {
+  options.mySystem.dev.qemu = {
+    enable = mkEnableOption "Enable QEMU";
+    users = mkOption {
+      type = types.listOf types.str;
+      default = ["phundrak"];
+      example = ["user1" "user2"];
+    };
+  };
+  config = mkIf cfg.enable {
+    programs.virt-manager.enable = true;
+    users.groups.libvirtd.members = cfg.users;
+    virtualisation = {
+      libvirtd.enable = true;
+      spiceUSBRedirection.enable = true;
+    };
+    environment.systemPackages = with pkgs; [
+      qemu
+      quickemu
+      swtpm
+    ];
+    systemd.tmpfiles.rules = ["L+ /var/lib/qemu/firmware - - - - ${pkgs.qemu}/share/qemu/firmware"];
+    boot.binfmt.emulatedSystems = ["aarch64-linux"];
+  };
+}

system/hardware/amdgpu.nix

@@ -0,0 +1,62 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.hardware.amdgpu;
+in {
+  options.mySystem.hardware.amdgpu.enable = mkEnableOption "Enables an AMD GPU configuration";
+  config = mkIf cfg.enable {
+    hardware = {
+      graphics = {
+        enable = true;
+        enable32Bit = true;
+        extraPackages = with pkgs; [
+          mesa # Mesa drivers for AMD GPUs
+          rocmPackages.clr # common language runtime for ROCm
+          rocmPackages.clr.icd # ROCm ICD for OpenCL
+          rocmPackages.rocblas # ROCm BLAS library
+          rocmPackages.hipblas #
+          rocmPackages.rpp # High-performance computer vision library
+          nvtopPackages.amd # GPU utilization monitoring
+        ];
+      };
+      amdgpu = {
+        initrd.enable = true;
+        opencl.enable = true;
+      };
+    };
+    environment.systemPackages = with pkgs; [
+      clinfo
+      amdgpu_top
+      nvtopPackages.amd
+    ];
+    systemd = {
+      packages = with pkgs; [lact];
+      services.lactd.wantedBy = ["multi-user.target"];
+      tmpfiles.rules = let
+        rocmEnv = pkgs.symlinkJoin {
+          name = "rocm-combined";
+          paths = with pkgs.rocmPackages; [
+            clr
+            clr.icd
+            rocblas
+            hipblas
+            rpp
+          ];
+        };
+      in [
+        "L+    /opt/rocm   -    -    -     -    ${rocmEnv}"
+      ];
+    };
+    environment.variables = {
+      ROCM_PATH = "/opt/rocm"; # Set ROCm path
+      HIP_VISIBLE_DEVICES = "1"; # Use only the eGPU (ID 1)
+      ROCM_VISIBLE_DEVICES = "1"; # Optional: ROCm equivalent for visibility
+      # LD_LIBRARY_PATH = "/opt/rocm/lib";         # Add ROCm libraries
+      HSA_OVERRIDE_GFX_VERSION = "10.3.0"; # Set GFX version override
+    };
+  };
+}

system/hardware/bluetooth.nix

@@ -0,0 +1,14 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.hardware.bluetooth;
+in {
+  options.mySystem.hardware.bluetooth.enable = mkEnableOption "Enable bluetooth";
+  config = mkIf cfg.enable {
+    hardware.bluetooth.enable = cfg.enable;
+    services.blueman.enable = cfg.enable;
+  };
+}

system/hardware/default.nix

@@ -0,0 +1,8 @@
+{
+  imports = [
+    ./amdgpu.nix
+    ./bluetooth.nix
+    ./sound.nix
+    ./input
+  ];
+}

system/hardware/input/corne.nix

@@ -0,0 +1,15 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.hardware.input.corne;
+in {
+  options.mySystem.hardware.input.corne.allowHidAccess = mkEnableOption "Enable HID access to the corne keyboard";
+  config.services.udev = mkIf cfg.allowHidAccess {
+    extraRules = ''
+      KERNEL=="hidraw*", SUBSYSTEM=="hidraw", ATTRS{serial}=="*vial:f64c2b3c*", MODE="0660", GROUP="users", TAG+="uaccess", TAG+="udev-acl"
+    '';
+  };
+}

system/hardware/input/default.nix

@@ -0,0 +1,8 @@
+{
+  imports = [
+    ./corne.nix
+    ./ibm-trackpoint.nix
+    ./opentablet.nix
+    ./trackball.nix
+  ];
+}

system/hardware/input/ibm-trackpoint.nix

@@ -0,0 +1,15 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.hardware.input.ibmTrackpoint;
+in {
+  options.mySystem.hardware.input.ibmTrackpoint.disable = mkEnableOption "Disable IBM’s trackpoint on ThinkPad";
+  config.services.udev = mkIf cfg.disable {
+    extraRules = ''
+      ATTRS{name}=="*TPPS/2 IBM TrackPoint", ENV{ID_INPUT}="", ENV{ID_INPUT_MOUSE}="", ENV{ID_INPUT_POINTINGSTICK}=""
+    '';
+  };
+}

system/hardware/input/opentablet.nix

@@ -0,0 +1,14 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.hardware.input.opentablet;
+in {
+  options.mySystem.hardware.input.opentablet.enable = mkEnableOption "Enables OpenTablet drivers";
+  config.hardware.opentabletdriver = mkIf cfg.enable {
+    inherit (cfg) enable;
+    daemon.enable = true;
+  };
+}

system/hardware/input/trackball.nix

@@ -0,0 +1,3 @@
+{
+  services.libinput.mouse.middleEmulation = true;
+}

system/hardware/sound.nix

@@ -5,10 +5,11 @@
   ...
 }:
 with lib; let
-  cfg = config.modules.sound;
+  cfg = config.mySystem.hardware.sound;
 in {
-  options.modules.sound = {
+  options.mySystem.hardware.sound = {
     enable = mkEnableOption "Whether to enable sounds with Pipewire";
+    scarlett.enable = mkEnableOption "Activate support for Scarlett sound card";
     alsa = mkOption {
       type = types.bool;
       example = true;
@@ -29,12 +30,18 @@ in {
     };
   };
 
-  config.services.pipewire = mkIf cfg.enable {
-    enable = true;
-    alsa = mkIf cfg.alsa {
-      enable = mkDefault true;
-      support32Bit = mkDefault true;
+  config = {
+    environment.systemPackages = mkIf cfg.scarlett.enable [pkgs.alsa-scarlett-gui];
+    services.pipewire = mkIf cfg.enable {
+      enable = true;
+      alsa = mkIf cfg.alsa {
+        enable = mkDefault true;
+        support32Bit = mkDefault true;
+      };
+      jack.enable = mkDefault cfg.jack;
+    };
+    programs.noisetorch = mkIf cfg.enable {
+      inherit (cfg) enable;
     };
-    jack.enable = mkDefault cfg.jack;
   };
 }

system/i18n/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./locale.nix
+  ];
+}

system/network/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./networking.nix
+    ./tailscale.nix
+  ];
+}

system/network/networking.nix

@@ -4,30 +4,35 @@
   ...
 }:
 with lib; let
-  cfg = config.modules.networking;
+  cfg = config.mySystem.networking;
 in {
-  options.modules.networking = {
+  options.mySystem.networking = with types; {
     hostname = mkOption {
-      type = types.str;
+      type = str;
       example = "gampo";
     };
     id = mkOption {
-      type = types.str;
+      type = str;
       example = "deadb33f";
     };
+    domain = mkOption {
+      type = nullOr str;
+      example = "phundrak.com";
+      default = null;
+    };
     hostFiles = mkOption {
-      type = types.listOf types.path;
+      type = listOf path;
       example = [/path/to/hostFile];
       default = [];
     };
     firewall = {
       openPorts = mkOption {
-        type = types.listOf types.int;
+        type = listOf int;
         example = [22 80 443];
         default = [];
       };
       openPortRanges = mkOption {
-        type = types.listOf (types.attrsOf types.port);
+        type = listOf (attrsOf port);
         default = [];
         example = [
           {
@@ -41,7 +46,7 @@ in {
         '';
       };
       extraCommands = mkOption {
-        type = types.nullOr types.lines;
+        type = nullOr lines;
         example = "iptables -A INPUTS -p icmp -j ACCEPT";
         default = null;
       };
@@ -52,7 +57,7 @@ in {
     hostName = cfg.hostname; # Define your hostname.
     hostId = cfg.id;
     networkmanager.enable = true;
-    inherit (cfg) hostFiles;
+    inherit (cfg) hostFiles domain;
     firewall = {
       enable = true;
       allowedTCPPorts = cfg.firewall.openPorts;

system/network/tailscale.nix

@@ -0,0 +1,16 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.network.tailscale;
+in {
+  options.mySystem.network.tailscale = {
+    enable = mkOption {
+      type = types.bool;
+      default = true;
+    };
+  };
+  config.services.tailscale.enable = cfg.enable;
+}

system/packages/appimage.nix

@@ -0,0 +1,14 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.packages.appimage;
+in {
+  options.mySystem.packages.appimage.enable = mkEnableOption "Enables AppImage support";
+  config.programs.appimage = mkIf cfg.enable {
+    inherit (cfg) enable;
+    binfmt = true;
+  };
+}

system/packages/default.nix

@@ -0,0 +1,15 @@
+{pkgs, ...}: {
+  imports = [
+    ./appimage.nix
+    ./flatpak.nix
+    ./nano.nix
+    ./nix.nix
+    ./steam.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    curl
+    openssl
+    wget
+  ];
+}

system/packages/flatpak.nix

@@ -0,0 +1,22 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.packages.flatpak;
+in {
+  options.mySystem.packages.flatpak = {
+    enable = mkEnableOption "Enable Flatpak support";
+    builder.enable = mkEnableOption "Enable Flatpak builder";
+  };
+  config = {
+    services.flatpak = mkIf cfg.enable {
+      inherit (cfg) enable;
+    };
+    environment.systemPackages = mkIf cfg.builder.enable [
+      pkgs.flatpak-buildR
+    ];
+  };
+}

system/packages/nix.nix

@@ -4,10 +4,11 @@
   ...
 }:
 with lib; let
-  cfg = config.modules.nix;
+  cfg = config.mySystem.packages.nix;
 in {
-  options.modules.nix = {
-    disableSandbox = mkEnableOption "Disables Nix sandbox";
+  options.mySystem.packages.nix = {
+    allowUnfree = mkEnableOption "Enable unfree packages";
+    disableSandbox = mkEnableOption "Disable Nix sandbox";
     gc = {
       automatic = mkOption {
         type = types.bool;
@@ -22,17 +23,27 @@ in {
         default = "--delete-older-than 30d";
       };
     };
+    nix-ld.enable = mkEnableOption "Enable unpatched binaries support";
+    trusted-users = mkOption {
+      type = types.listOf types.str;
+      example = ["alice" "bob"];
+      default = [];
+    };
   };
 
   config = {
     nix = {
+      inherit (cfg) gc;
       settings = {
+        inherit (cfg) trusted-users;
         sandbox = cfg.disableSandbox;
         experimental-features = ["nix-command" "flakes"];
         auto-optimise-store = true;
       };
-      inherit (cfg) gc;
     };
     nixpkgs.config.allowUnfree = true;
+    programs = {
+      inherit (cfg) nix-ld;
+    };
   };
 }

system/packages/steam.nix

@@ -0,0 +1,48 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.programs.steam;
+in {
+  options.mySystem.programs.steam.enable = mkEnableOption "Enables Steam and Steam hardware";
+  config = mkIf cfg.enable {
+    programs = {
+      steam = {
+        inherit (cfg) enable;
+        protontricks.enable = true;
+        remotePlay.openFirewall = true;
+        localNetworkGameTransfers.openFirewall = true;
+        gamescopeSession.enable = true;
+        extraCompatPackages = [pkgs.proton-ge-bin];
+        package = pkgs.steam.override {
+          extraEnv = {
+            MANGOHUD = true;
+            OBS_VKCAPTURE = true;
+            RADV_TEX_ANISO = 16;
+          };
+          extraLibraries = p: with p; [atk];
+          extraPkgs = pkgs:
+            with pkgs; [
+              qt5.qtmultimedia
+              qt5.qtbase
+              libpulseaudio
+            ];
+        };
+      };
+      gamescope = {
+        enable = true;
+        capSysNice = true;
+        args = [
+          "--rt"
+          "--expose-wayland"
+        ];
+      };
+    };
+    hardware.steam-hardware = {
+      inherit (cfg) enable;
+    };
+  };
+}

system/security/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./sops.nix
+  ];
+}

system/security/sops.nix

@@ -1,6 +1,6 @@
 {
   sops = {
-    defaultSopsFile = ../secrets/secrets.yaml;
+    defaultSopsFile = ../../secrets/secrets.yaml;
     defaultSopsFormat = "yaml";
     age = {
       # automatically import user SSH keys as age keys

system/services/calibre.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.services.calibre;
+in {
+  options.mySystem.services.calibre = {
+    enable = mkEnableOption "Enable Calibre Web";
+    user = mkOption {
+      type = types.str;
+      default = "phundrak";
+    };
+    group = mkOption {
+      type = types.str;
+      default = "users";
+    };
+    dataDir = mkOption {
+      type = types.str;
+      example = "/tank/calibre/conf";
+      default = "/tank/calibre/conf";
+    };
+    library = mkOption {
+      type = types.str;
+      example = "/tank/calibre/library";
+      default = "/tank/calibre/library";
+    };
+  };
+  config.services.calibre-web = mkIf cfg.enable {
+    inherit (cfg) enable user dataDir group;
+    options = {
+      calibreLibrary = cfg.library;
+      enableBookConversion = true;
+      enableBookUploading = true;
+    };
+  };
+}

system/services/default.nix

@@ -0,0 +1,13 @@
+{
+  imports = [
+    ./calibre.nix
+    ./endlessh.nix
+    ./fwupd.nix
+    ./jellyfin.nix
+    ./languagetool.nix
+    ./plex.nix
+    ./printing.nix
+    ./ssh.nix
+    ./sunshine.nix
+  ];
+}

system/services/endlessh.nix

@@ -4,9 +4,9 @@
   ...
 }:
 with lib; let
-  cfg = config.modules.endlessh;
+  cfg = config.mySystem.services.endlessh;
 in {
-  options.modules.endlessh = {
+  options.mySystem.services.endlessh = {
     enable = mkEnableOption "Enables endlessh.";
     port = mkOption {
       type = types.port;

system/services/fwupd.nix

@@ -0,0 +1,13 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.services.fwupd;
+in {
+  options.mySystem.services.fwupd.enable = mkEnableOption "Enable fwupd";
+  config.services.fwupd = mkIf cfg.enable {
+    inherit (cfg) enable;
+  };
+}

system/services/jellyfin.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.services.jellyfin;
+in {
+  options.mySystem.services.jellyfin = {
+    enable = mkEnableOption "Enable Jellyfin";
+    dataDir = mkOption {
+      type = types.str;
+      default = "/tank/jellyfin/data";
+      example = "/tank/jellyfin/data";
+    };
+    user = mkOption {
+      type = types.str;
+      default = "phundrak";
+    };
+    group = mkOption {
+      type = types.str;
+      default = "users";
+    };
+  };
+  config.services.jellyfin = mkIf cfg.enable {
+    inherit (cfg) enable group user dataDir;
+  };
+}

system/services/languagetool.nix

@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.services.languagetool;
+in {
+  options.mySystem.services.languagetool = {
+    enable = mkEnableOption "Enables languagetool";
+    port = mkOption {
+      type = types.port;
+      default = 8081;
+      example = 80;
+    };
+  };
+  config.services.languagetool = mkIf cfg.enable {
+    inherit (cfg) enable port;
+  };
+}

system/services/plex.nix

@@ -0,0 +1,35 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.services.plex;
+in {
+  options.mySystem.services.plex = {
+    enable = mkEnableOption "Enable Plex";
+    group = mkOption {
+      type = types.str;
+      default = "users";
+      example = "users";
+      description = "Group under which Plex runs";
+    };
+    dataDir = mkOption {
+      type = types.str;
+      example = "/tank/plex-config";
+    };
+    user = mkOption {
+      type = types.str;
+      default = "phundrak";
+    };
+  };
+  config = {
+    services.plex = mkIf cfg.enable {
+      inherit (cfg) enable user group dataDir;
+      openFirewall = cfg.enable;
+    };
+    boot.kernel.sysctl = {
+      "kernel.unprivileged_userns_clone" = 1;
+    };
+  };
+}

system/services/printing.nix

@@ -0,0 +1,13 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.services.printing;
+in {
+  options.mySystem.services.printing.enable = mkEnableOption "Enable printing with CUPS";
+  config.services.printing = mkIf cfg.enable {
+    inherit (cfg) enable;
+  };
+}

system/services/ssh.nix

@@ -4,9 +4,9 @@
   ...
 }:
 with lib; let
-  cfg = config.modules.ssh;
+  cfg = config.mySystem.services.ssh;
 in {
-  options.modules.ssh = {
+  options.mySystem.services.ssh = {
     enable = mkEnableOption "Enables OpenSSH";
     allowedUsers = mkOption {
       type = types.listOf types.str;
@@ -20,7 +20,7 @@ in {
     };
   };
   config.services.openssh = mkIf cfg.enable {
-    enable = true;
+    inherit (cfg) enable;
     settings = {
       AllowUsers = cfg.allowedUsers;
       PermitRootLogin = "no";

system/services/sunshine.nix

@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.services.sunshine;
+in {
+  options.mySystem.services.sunshine = {
+    enable = mkEnableOption "Enables Sunshine";
+    autostart = mkEnableOption "Enables autostart";
+  };
+  config.services.sunshine = mkIf cfg.enable {
+    inherit (cfg) enable;
+    autoStart = cfg.autostart;
+    capSysAdmin = true;
+    openFirewall = true;
+    settings.sunshine_name = config.mySystem.networking.hostname;
+    applications.apps = [
+      {
+        name = "Desktop";
+        image-path = "desktop.png";
+      }
+      {
+        name = "Low Res Desktop";
+        image-path = "desktop.png";
+      }
+      {
+        name = "Steam Big Picture";
+        detached = ["setsid steam steam://open/bigpicture"];
+        prep-cmd = {
+          do = "";
+          undo = "setsid steam steam://close/bigpicture";
+        };
+        image-path = "steam.png";
+      }
+      {
+        name = "OpenTTD";
+        cmd = "openttd";
+        image-path = "/home/phundrak/.config/sunshine/covers/igdb_18074.png";
+      }
+      {
+        name = "OpenMW";
+        cmd = "openmw";
+      }
+    ];
+  };
+}

system/users/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./phundrak.nix
+  ];
+}

system/users/phundrak.nix

@@ -5,14 +5,11 @@
   ...
 }:
 with lib; let
-  cfg = config.modules.users;
+  cfg = config.mySystem.users;
 in {
-  options.modules.users = {
+  options.mySystem.users = {
     root.disablePassword = mkEnableOption "Disables root password";
-    phundrak = mkOption {
-      type = types.bool;
-      default = true;
-    };
+    phundrak.enable = mkEnableOption "Enables users phundrak";
   };
 
   config = {
@@ -21,17 +18,12 @@ in {
         hashedPassword = mkIf cfg.root.disablePassword "*";
         shell = pkgs.zsh;
       };
-      phundrak = {
+      phundrak = mkIf cfg.phundrak.enable {
         isNormalUser = true;
         description = "Lucien Cartier-Tilet";
-        extraGroups = ["networkmanager" "wheel" "docker" "dialout" "podman"];
+        extraGroups = ["networkmanager" "wheel" "docker" "dialout" "podman" "plugdev" "games" "audio" "input"];
         shell = pkgs.zsh;
-        openssh.authorizedKeys.keyFiles = [
-          ./keys/id_gampo.pub
-          ./keys/id_marpa.pub
-          ./keys/id_tilo.pub
-          ./keys/id_opn4.pub
-        ];
+        openssh.authorizedKeys.keyFiles = lib.filesystem.listFilesRecursive ../../keys;
       };
     };
     programs.zsh.enable = true;

users/modules/cli/bat.nix

@@ -5,9 +5,9 @@
   ...
 }:
 with lib; let
-  cfg = config.modules.bat;
+  cfg = config.home.cli.bat;
 in {
-  options.modules.bat.extras = mkEnableOption "Enables extra packages for bat.";
+  options.home.cli.bat.extras = mkEnableOption "Enables extra packages for bat.";
   config.programs.bat = {
     enable = true;
     config = {
@@ -19,7 +19,6 @@ in {
     extraPackages = mkIf cfg.extras (with pkgs.bat-extras; [
       batman
       batpipe
-      batgrep
     ]);
   };
 }

users/modules/cli/default.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.home.cli;
+in {
+  imports = [
+    ./bat.nix
+    ./btop.nix
+    ./direnv.nix
+    ./eza.nix
+    ./mu.nix
+    ./nh.nix
+    ./nix-index.nix
+    ./scripts
+    ./tealdeer.nix
+    ./yt-dlp.nix
+  ];
+
+  options.home.cli.fullDesktop = mkEnableOption "Enable all optional modules and options";
+  config.home.cli = {
+    bat.extras = mkDefault cfg.fullDesktop;
+    mu.enable = mkDefault cfg.fullDesktop;
+    scripts.enable = mkDefault cfg.fullDesktop;
+    yt-dlp.enable = mkDefault cfg.fullDesktop;
+  };
+}

users/modules/cli/direnv.nix

@@ -0,0 +1,10 @@
+{
+  programs.direnv = {
+    enable = true;
+    config.global = {
+      load_dotenv = true;
+      hide_env_diff = true;
+    };
+    nix-direnv.enable = true;
+  };
+}

users/modules/cli/mu.nix

@@ -0,0 +1,11 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.home.cli.mu;
+in {
+  options.home.cli.mu.enable = mkEnableOption "Enable mu";
+  config.programs.mu.enable = cfg.enable;
+}

users/modules/cli/nh.nix

@@ -4,9 +4,9 @@
   ...
 }:
 with lib; let
-  cfg = config.modules.nh;
+  cfg = config.home.cli.nh;
 in {
-  options.modules.nh.flake = mkOption {
+  options.home.cli.nh.flake = mkOption {
     type = types.path;
     default = "/home/phundrak/.dotfiles";
     example = "/etc/nixos";

users/modules/cli/nix-index.nix

@@ -0,0 +1,10 @@
+{inputs, ...}: {
+  imports = [
+    inputs.nix-index-database.homeModules.nix-index
+  ];
+
+  programs = {
+    nix-index.enable = true;
+    nix-index-database.comma.enable = true;
+  };
+}

users/modules/cli/scripts/askpass.nix

@@ -0,0 +1,3 @@
+{pkgs, ...}:
+pkgs.writeShellScriptBin "askpass" ''
+  ${pkgs.rofi}/bin/rofi -dmenu -password -no-fixed-num-lines -p $(printf \"$*\" | sed 's/://')''

users/modules/cli/scripts/default.nix

@@ -0,0 +1,15 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.home.cli.scripts;
+  files = filesystem.listFilesRecursive ./.;
+  scriptFiles = builtins.filter (path: baseNameOf path != "default.nix") files;
+  scripts = map (file: (import file {inherit pkgs config;})) scriptFiles;
+in {
+  options.home.cli.scripts.enable = mkEnableOption "Add custom scripts to PATH";
+  config.home.packages = mkIf cfg.enable scripts;
+}

users/modules/cli/scripts/launch-with-emacsclient.nix

@@ -1,10 +1,10 @@
 {
   pkgs,
-  emacsPackage,
+  config,
   ...
 }:
 pkgs.writeShellScriptBin "launch-with-emacsclient" ''
   filename="$1"
   line="$2"
   column="$3"
-  ${emacsPackage}/bin/emacsclient +$line:$column "$filename"''
+  ${config.home.dev.editors.emacs.package}/bin/emacsclient +$line:$column "$filename"''

users/modules/cli/scripts/plock.nix

@@ -0,0 +1,16 @@
+{pkgs, ...}:
+pkgs.writeShellScriptBin "plock" ''
+  TMPBG="/tmp/screen.png"
+  if [ "$XDG_SESSION_TYPE" = "wayland" ]; then
+      SCREENER=${pkgs.grim}/bin/grim
+      LOCKER="${pkgs.swaylock}/bin/swaylock -feF"
+  else
+      SCREENER=${pkgs.scrot}/bin/scrot
+      LOCKER="${pkgs.i3lock}/bin/i3lock -ef"
+  fi
+
+  $SCREENER "$TMPBG"
+  ${pkgs.corrupter}/bin/corrupter -add 0 "$TMPBG" "$TMPBG"
+  $LOCKER -ti "$TMPBG"
+  rm "$TMPBG"
+''

users/modules/cli/scripts/screenshot.nix

@@ -0,0 +1,56 @@
+{pkgs, ...}:
+pkgs.writeShellScriptBin "screenshot" ''
+  OUTFILE_BASE="$HOME/Pictures/Screenshots/Screenshot_$(date +%Y-%m-%d_%H.%M.%S)"
+  OUTFILE="$OUTFILE_BASE.png"
+  SUFFIX=0
+
+  while getopts ':cd:egs' OPTION; do
+      case "$OPTION" in
+          c )
+              COPY="yes"
+              ;;
+          d )
+              DELAY="$OPTARG"
+              ;;
+          e )
+              EDIT="yes"
+              ;;
+          g )
+              GIMP="yes"
+              ;;
+          s )
+              SELECT="yes"
+              ;;
+          ? )
+              echo "Usage: $(basename "$0") [-c] [-d DELAY] [-e] [-g] [-s]"
+              exit 1
+              ;;
+      esac
+  done
+
+  if [ "$SELECT" = "yes" ]; then
+    AREA="$(${pkgs.slurp}/bin/slurp)"
+  fi
+
+  if [ -n "$DELAY" ]; then
+    sleep "$DELAY"
+  fi
+
+  if [ "$SELECT" = "yes" ]; then
+    ${pkgs.grim}/bin/grim -g "$AREA" "$OUTFILE"
+  else
+    ${pkgs.grim}/bin/grim "$OUTFILE"
+  fi
+
+  if [ "$EDIT" = "yes" ];then
+    ${pkgs.swappy}/bin/swappy -f "$OUTFILE" -o "$OUTFILE"
+  fi
+
+  if [ "$GIMP" = "yes" ]; then
+    ${pkgs.gimp}/bin/gimp "$OUTFILE"
+  fi
+
+  if [ "$COPY" = "yes" ]; then
+    ${pkgs.wl-clipboard-rs}/bin/wl-copy < "$OUTFILE"
+  fi
+''

users/modules/cli/scripts/ytplay.nix

@@ -0,0 +1,16 @@
+{pkgs, ...}:
+pkgs.writeShellScriptBin "ytplay" ''
+  URL=$(rofi -dmenu -i -p "Video URL")
+  if [ -z "$URL" ]; then
+      echo "You need to provide a URL"
+      exit 1
+  fi
+  RESOLUTION_CHOICE=$(${pkgs.yt-dlp}/bin/yt-dlp --list-formats "$URL" | \
+                          grep -E "webm.*[0-9]+x[0-9]" | \
+                          awk '{print $3 " " $1}' | \
+                          sort -gu | \
+                          rofi -dmenu -i -p "Resolution")
+  mapfile -t RESOLUTION <<< "$RESOLUTION_CHOICE"
+  RESOLUTION_CODE=''${RESOLUTION[0]}
+  ${pkgs.mpv}/bin/mpv --ytdl-format="''${RESOLUTION_CODE}+bestaudio/best" "$URL"
+''

users/modules/cli/yt-dlp.nix

@@ -0,0 +1,18 @@
+{
+  lib,
+  config,
+  ...
+}:
+with lib; let
+  cfg = config.home.cli.yt-dlp;
+in {
+  options.home.cli.yt-dlp.enable = mkEnableOption "Enable yt-dlp";
+  config.programs.yt-dlp = mkIf cfg.enable {
+    inherit (cfg) enable;
+    settings = {
+      embed-thumbnail = true;
+      embed-subs = true;
+      sub-langs = "all";
+    };
+  };
+}

users/modules/default.nix

@@ -1,16 +1,29 @@
 {
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.home;
+in {
   imports = [
     ./basics.nix
-    ./bat.nix
-    ./btop.nix
-    ./direnv.nix
-    ./eza.nix
-    ./mopidy.nix
-    ./nh.nix
+    ./cli
+    ./desktop
+    ./dev
+    ./media
+    ./services
+    ./security
     ./shell
-    ./ssh.nix
-    ./tealdeer.nix
-    ./tmux.nix
-    ./vcs
   ];
+
+  options.home.fullDesktop = mkEnableOption "Enable most modules";
+  config.home = {
+    cli.fullDesktop = mkDefault cfg.fullDesktop;
+    desktop.fullDesktop = mkDefault cfg.fullDesktop;
+    dev.fullDesktop = mkDefault cfg.fullDesktop;
+    media.fullDesktop = mkDefault cfg.fullDesktop;
+    security.fullDesktop = mkDefault cfg.fullDesktop;
+    services.fullDesktop = mkDefault cfg.fullDesktop;
+  };
 }