chore: update lockfile

.envrc

@@ -0,0 +1 @@
+use flake

.gitignore

@@ -9,4 +9,5 @@ result-*
 
 nixos-efi-vars.fd
 
-/.pre-commit-config.yaml
+.direnv/
+.pre-commit-config.yaml

deploy/colmena.nix

@@ -8,29 +8,27 @@ let
   utils = import ../utils { inherit lib; };
   hostDirNames = utils.dirNames ../hosts;
 
-  mkNode = hostname: tags: {
+  mkNode = hostname: meta: {
     imports = [ ../hosts/${hostname} ];
     deployment = {
-      targetHost = self.nixosConfigurations.${hostname}.config.ssh.publicHostname;
+      inherit (meta.deployment) targetHost targetUser tags;
-      targetUser = self.nixosConfigurations.${hostname}.config.ssh.username;
+      buildOnTarget = builtins.any (t: t != "local" && t != "arm") meta.deployment.tags;
-      buildOnTarget = builtins.any (t: t != "local") tags;
-      inherit tags;
     };
   };
 
-  nodes = lib.genAttrs hostDirNames (
+  nodes = lib.genAttrs hostDirNames (hostname: mkNode hostname (utils.hostMeta ../hosts/${hostname}));
-    hostname: mkNode hostname (utils.hostMeta ../hosts/${hostname}).deployment.tags
-  );
 in
-inputs.colmena.lib.makeHive {
+inputs.colmena.lib.makeHive (
-  meta = {
+  {
-    nixpkgs = import inputs.nixpkgs {
+    meta = {
-      localSystem = "x86_64-linux";
+      nixpkgs = import inputs.nixpkgs { localSystem = "x86_64-linux"; };
+      specialArgs = {
+        inherit inputs;
+        outputs = self;
+        dotsPath = ../dots;
+        myUtils = utils;
+      };
     };
-
+  }
-    nodeNixpkgs = builtins.mapAttrs (_: v: v.pkgs) self.nixosConfigurations;
+  // nodes
-    nodeSpecialArgs = builtins.mapAttrs (_: v: v._module.specialArgs or { }) self.nixosConfigurations;
+)
-  };
-
-  inherit nodes;
-}

dots/.bash_aliases/all

@@ -27,8 +27,6 @@ alias ipa="ip -brief address"
 alias ipl="ip -brief link"
 alias ipr="ip route"
 
-alias clip="xclip -sel clip"
-
 alias df="df -kTh"
 alias fzfpac="pacman -Slq | fzf -m --preview 'pacman -Si {1}' | xargs -ro sudo pacman -S"
 alias path='echo -e ${PATH//:/\\n}' # Pretty print path variables

dots/.bin/git-cb

@@ -1,221 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-readonly ALLOWED_MAIN_BRANCHES=("main" "master" "develop")
-readonly BRANCH_TYPES=(
-  "feat      For new features"
-  "hotfix    For urgent fixes"
-  "fix       For fixes"
-  "release   For preparing releases"
-  "chore     For non-code tasks"
-)
-
-error() {
-  echo "Error: $1" >&2
-  exit 1
-}
-
-warn() {
-  echo "Warning: $1" >&2
-}
-
-check_dependencies() {
-  local missing=()
-  for cmd in git fzf; do
-    if ! command -v "$cmd" &> /dev/null; then
-      missing+=("$cmd")
-    fi
-  done
-
-  if [[ ${#missing[@]} -gt 0 ]]; then
-    error "Missing required commands: ${missing[*]}"
-  fi
-}
-
-check_git_repo() {
-  if ! git rev-parse --git-dir &> /dev/null; then
-    error "Not in a git repository"
-  fi
-}
-
-check_current_branch() {
-  local current_branch
-  current_branch=$(git branch --show-current)
-
-  local is_main_branch=false
-  for branch in "${ALLOWED_MAIN_BRANCHES[@]}"; do
-    if [[ "$current_branch" == "$branch" ]]; then
-      is_main_branch=true
-      break
-    fi
-  done
-
-  if [[ "$is_main_branch" == false ]]; then
-    warn "Not branching from a main branch (current: $current_branch)"
-    read -rp "Continue anyway? [y/N] " response
-    if [[ ! "$response" =~ ^[Yy]$ ]]; then
-      exit 0
-    fi
-  fi
-}
-
-get_user_email() {
-  local email
-  email=$(git config --get user.email 2>/dev/null)
-
-  if [[ -z "$email" ]]; then
-    error "Git user email not configured. Run: git config user.email 'your@email.com'"
-  fi
-
-  echo "$email"
-}
-
-select_branch_type() {
-  local selected
-  selected=$(printf '%s\n' "${BRANCH_TYPES[@]}" | \
-    fzf --prompt="Select branch type: " \
-        --height=40% \
-        --border \
-        --info=inline) || error "Branch type selection cancelled"
-
-  echo "${selected%% *}"
-}
-
-select_jira_ticket() {
-  local email=$1
-
-  if ! command -v jira &> /dev/null; then
-    warn "Jira CLI not found. Proceeding without ticket ID."
-    return 0
-  fi
-
-  echo "Fetching Jira tickets for $email..." >&2
-  local jira_data
-  jira_data=$(jira issue list --assignee="$email" --order-by=priority --plain --no-headers 2>/dev/null) || {
-    warn "Could not fetch Jira tickets. Proceeding without ticket ID."
-    return 0
-  }
-
-  if [[ -z "$jira_data" ]]; then
-    warn "No Jira tickets found. Proceeding without ticket ID."
-    return 0
-  fi
-
-  echo "$jira_data" >&2
-  echo "" >&2
-
-  local formatted_tickets
-  formatted_tickets=$(echo "$jira_data" | awk '{
-    ticket_id = $2
-    $1 = $2 = ""
-    description = $0
-    gsub(/^[ \t]+/, "", description)
-    if (length(description) > 60) {
-      description = substr(description, 1, 57) "..."
-    }
-    print ticket_id " - " description
-  }')
-
-  if [[ -z "$formatted_tickets" ]]; then
-    warn "No tickets to display. Proceeding without ticket ID."
-    return 0
-  fi
-
-  local selected_ticket
-  selected_ticket=$(echo -e "SKIP - Create branch without ticket ID\n$formatted_tickets" | \
-    fzf --prompt="Select Jira ticket (or skip): " \
-        --height=40% \
-        --border \
-        --info=inline) || error "Ticket selection cancelled"
-
-  if [[ "$selected_ticket" != "SKIP"* ]]; then
-    echo "${selected_ticket%% -*}"
-  fi
-}
-
-get_branch_description() {
-  local ticket_id=$1
-  local editor="${EDITOR:-vi}"
-  local tmpfile
-  tmpfile=$(mktemp)
-
-  trap "rm -f '$tmpfile'" EXIT
-
-  if [[ -n "$ticket_id" ]]; then
-    cat > "$tmpfile" << EOF
-# Selected ticket: $ticket_id
-# Enter your branch description below in kebab-case (e.g., my-description):
-# The ticket ID will be automatically included in the branch name.
-# Lines starting with # will be ignored.
-
-EOF
-  else
-    cat > "$tmpfile" << 'EOF'
-# Enter your branch description below in kebab-case (e.g., my-description):
-# Lines starting with # will be ignored.
-
-EOF
-  fi
-  
-  "$editor" "$tmpfile" < /dev/tty > /dev/tty
-
-  local desc
-  desc=$(grep -v '^#' "$tmpfile" | tr -d '\n' | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
-
-  echo "$desc"
-}
-
-validate_description() {
-  local desc=$1
-
-  if [[ -z "$desc" ]]; then
-    error "No description provided"
-  fi
-
-  if [[ ! "$desc" =~ ^[a-z0-9]+(-[a-z0-9]+)*$ ]]; then
-    error "Invalid branch description format.\nUse lowercase letters, numbers, and hyphens only.\nNo trailing or consecutive hyphens allowed.\nExample: my-feature-description"
-  fi
-}
-
-create_branch() {
-  local type=$1
-  local ticket_id=$2
-  local desc=$3
-
-  local branch
-  if [[ -n "$ticket_id" ]]; then
-    branch="$type/$ticket_id-$desc"
-  else
-    branch="$type/$desc"
-  fi
-
-  if git show-ref --verify --quiet "refs/heads/$branch"; then
-    error "Branch '$branch' already exists"
-  fi
-
-  echo ""
-  echo "Creating branch: $branch"
-  git checkout -b "$branch"
-}
-
-main() {
-  check_dependencies
-  check_git_repo
-  check_current_branch
-
-  local email
-  email=$(get_user_email)
-
-  local type
-  type=$(select_branch_type)
-
-  echo "About to call select_jira_ticket" >&2
-  local ticket_id=""
-  ticket_id=$(select_jira_ticket "$email")
-  local desc
-  desc=$(get_branch_description "$ticket_id")
-  validate_description "$desc"
-  create_branch "$type" "$ticket_id" "$desc"
-}
-
-main "$@"

dots/.bin/save-zk

@@ -1,4 +0,0 @@
-#!/usr/bin/env bash
-
-cd "$ZK_PATH" || echo "No zettelkasten directory found"
-git a . && git commit -m "Update" && git push

dots/.bin/setup-zk

@@ -1,20 +0,0 @@
-#!/bin/bash
-
-if [ ! -d ~/.zk ]; then
-    echo "[zk] Setting up zettelkasten"
-    gh repo clone zk ~/.zk
-else
-    echo "[zk] Zettelkasten already set up."
-fi
-
-read -p "Would you like open your zettelkasten? [y/N] " -n 1 -r
-echo
-
-if [[ $REPLY =~ ^[Yy]$ ]]; then
-  if [ -x "$(command -v zk)" ]; then
-    zk
-  else
-    echo "Error: 'zk' command not found or not executable"
-    exit 1
-  fi
-fi

dots/.config/nvim/after/plugin/hydra.lua

@@ -0,0 +1,35 @@
+local hydra_repl = "hydra-repl"
+
+if not vim.fn.executable(hydra_repl) then
+  return
+end
+
+local function send(lines)
+  vim.system({ hydra_repl, table.concat(lines, "\n") })
+end
+
+local function get_paragraph(buf)
+  local start_ = vim.fn.search("^$", "bnW")
+  local end_ = vim.fn.search("^$", "nW") - 1
+  if end_ < vim.api.nvim_win_get_cursor(0)[1] then
+    end_ = vim.api.nvim_buf_line_count(buf)
+  end
+  return vim.api.nvim_buf_get_lines(buf, start_, end_, false)
+end
+
+local function get_selection(buf)
+  return vim.api.nvim_buf_get_lines(buf, vim.fn.line("'<") - 1, vim.fn.line("'>"), false)
+end
+
+vim.api.nvim_create_autocmd("FileType", {
+  pattern = "javascript",
+  callback = function(e)
+    if vim.fn.fnamemodify(vim.api.nvim_buf_get_name(e.buf), ":e") ~= "hydra" then
+      return
+    end
+
+    local buf = e.buf
+    vim.keymap.set("n", "<CR>", function() send(get_paragraph(buf)) end, { buffer = buf, desc = "hydra: send block" })
+    vim.keymap.set("v", "<CR>", function() send(get_selection(buf)) end, { buffer = buf, desc = "hydra: send selection" })
+  end,
+})

dots/.config/nvim/after/plugin/wiki.vim.lua

@@ -1,6 +1,8 @@
+require("zk.utils")
+
 vim.cmd([[
 " Change local buffer to directory of current file after the plugin has loaded
-autocmd VimEnter * lcd %:p:h
+execute 'autocmd BufEnter' g:zk_path . '/*.md' 'silent lcd %:p:h'
 
 " " Override wiki index mapping to also cd into the wiki
 nm <leader>ww <plug>(wiki-index)
@@ -11,11 +13,16 @@ nm <leader>ww <plug>(wiki-index)
 " nm <leader>s <plug>(wiki-link-follow-split)
 " nm <leader>v <plug>(wiki-link-follow-vsplit)
 
-autocmd BufEnter *.md if expand('%:t') =~ '_' | echo 'hierarchical relation' | endif
+function! ZKContextualEcho()
-autocmd BufEnter *.md if expand('%:t') =~ '--' | echo 'relation' | endif
+  let l:name = expand('%:t')
-autocmd BufEnter *.md if expand('%:t') =~ '<>' | echo 'dichotomy' | endif
+  if l:name =~ '_' | echo 'hierarchical relation'
-autocmd BufEnter *.md if expand('%:t') =~ 'my-' | echo 'personal file' | endif
+  elseif l:name =~ '--' | echo 'relation'
-autocmd BufEnter *.md if expand('%:t') =~ 'project_' | echo 'project file' | endif
+  elseif l:name =~ '<>' | echo 'dichotomy'
+  elseif l:name =~ 'my-' | echo 'personal file'
+  elseif l:name =~ 'project_' | echo 'project file'
+  endif
+endfunction
+execute 'autocmd BufEnter' g:zk_path . '/*.md' 'call ZKContextualEcho()'
 
 " Only load wiki.vim for zk directory
 let g:wiki_index_name='index'
@@ -76,7 +83,7 @@ let g:wiki_templates = [
 "
 
 let g:wiki_filetypes=['md']
-let g:wiki_root='~/.zk'
+let g:wiki_root=g:zk_path
 let g:wiki_global_load=0
 let g:wiki_link_creation = {
       \ 'md': {

dots/.config/nvim/flake.lock

@@ -42,11 +42,11 @@
     },
     "nixCats": {
       "locked": {
-        "lastModified": 1770584904,
+        "lastModified": 1777273601,
-        "narHash": "sha256-9Zaz8lbKF2W9pwXZEnbiGsicHdBoU+dHt3Wv3mCJoZ8=",
+        "narHash": "sha256-xBUa8Tl9V7IXI+VmLEuDc81La/EhoSn1C3EVSnJ3cfU=",
         "owner": "BirdeeHub",
         "repo": "nixCats-nvim",
-        "rev": "538fdde784d2909700d97a8ef307783b33a86fb1",
+        "rev": "f69ea013e328841a7def7037ed59788a76be8816",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1770843696,
+        "lastModified": 1777270315,
-        "narHash": "sha256-LovWTGDwXhkfCOmbgLVA10bvsi/P8eDDpRudgk68HA8=",
+        "narHash": "sha256-yKB4G6cKsQsWN7M6rZGk6gkJPDNPIzT05y4qzRyCDlI=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2343bbb58f99267223bc2aac4fc9ea301a155a16",
+        "rev": "6368eda62c9775c38ef7f714b2555a741c20c72d",
         "type": "github"
       },
       "original": {
@@ -106,11 +106,11 @@
     "plugins-helm-ls-nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1768584652,
+        "lastModified": 1773934114,
-        "narHash": "sha256-jnMc87OjURNcqsva0npYgVyUrWc5C6L7yHpNvt9eSmg=",
+        "narHash": "sha256-8trqFsA7nTKSdtkiAL0Sa9bXjh5ONtAqN7XNE/B8ukM=",
         "owner": "qvalentin",
         "repo": "helm-ls.nvim",
-        "rev": "f0b9a1723890971a6d84890b50dbf5f40974ea1b",
+        "rev": "20df43509b02a3ce3c6b3eee254d6e2bffa9a370",
         "type": "github"
       },
       "original": {

dots/.config/nvim/flake.nix

@@ -45,13 +45,38 @@
       inherit (nixCats) utils;
       luaPath = ./.;
       forEachSystem = utils.eachSystem nixpkgs.lib.platforms.all;
-      extra_pkg_config = { };
+      extra_pkg_config = {
+        allowUnfreePredicate =
+          pkg:
+          builtins.elem (nixpkgs.lib.getName pkg) [
+            "vim-sandwich"
+            "jupytext.nvim"
+            "eyeliner.nvim"
+            "context_filetype.vim"
+            "editorconfig-vim"
+            "unicode.vim"
+            "quarto-nvim"
+            "vim-openscad"
+            "lsp_lines.nvim"
+            "nvim-highlight-colors"
+            "nvim-lint"
+          ];
+      };
 
       mkDependencyOverlays = system: [
         (utils.standardPluginOverlay inputs)
         (_final: _prev: {
           mcp-hub = inputs.mcp-hub.packages.${system}.default;
         })
+        (_: prev: {
+          luajitPackages = prev.luajitPackages.overrideScope (
+            _: lprev: {
+              neotest = lprev.neotest.overrideAttrs (_: {
+                doCheck = false;
+              });
+            }
+          );
+        })
       ];
 
       categoryDefinitions =
@@ -62,9 +87,11 @@
         {
           lspsAndRuntimeDeps = with pkgs; {
             general = [
+              nodejs_24
               black
               clang
               clang-tools
+              curl # → plenary-nvim, mcp-hub
               delta
               emmet-language-server
               eslint_d
@@ -78,8 +105,8 @@
               mcp-hub
               nixd
               nixfmt
-              nodePackages.prettier
+              prettier
-              nodePackages.typescript-language-server
+              typescript-language-server
               ormolu
               prettierd
               rust-analyzer
@@ -88,6 +115,8 @@
               stylelint
               stylua
               tree-sitter
+              tailwindcss-language-server
+              typescript-language-server
               vscode-langservers-extracted
               vtsls
               yaml-language-server

dots/.config/nvim/lua/ftdetect.lua

@@ -9,5 +9,6 @@ vim.filetype.add({
     ["%.env.*"] = "dotenv",
     ["%.pl$"] = "prolog",
     [".*.containerfile.*"] = "dockerfile",
+    ["%.hydra$"] = "javascript",
   },
 })

dots/.config/nvim/lua/zk/cmp.lua

@@ -13,28 +13,31 @@ local function get_markdown_files(base)
   return items
 end
 
+function source:get_keyword_pattern()
+  return "[%w%./%-]*"
+end
+
 function source:complete(params, callback)
   local cursor_before_line = params.context.cursor_before_line
   local cursor_after_line = params.context.cursor_after_line or ""
 
-  local trigger = cursor_before_line:match("%[[^%]]*%]%(([^)]*)$")
+  if not cursor_before_line:match("%[[^%]]*%]%(") then
-
-  if trigger ~= nil then
-    local items = get_markdown_files(".")
-    local next_char = cursor_after_line:sub(1, 1)
-
-    for _, item in ipairs(items) do
-      if next_char == ")" then
-        item.insertText = item.label
-      else
-        item.insertText = item.label .. ")"
-      end
-    end
-
-    callback(items)
-  else
     callback({})
+    return
   end
+
+  local items = get_markdown_files(".")
+  local next_char = cursor_after_line:sub(1, 1)
+
+  for _, item in ipairs(items) do
+    if next_char == ")" then
+      item.insertText = item.label
+    else
+      item.insertText = item.label .. ")"
+    end
+  end
+
+  callback(items)
 end
 
 function source:get_trigger_characters()

dots/.config/nvim/lua/zk/init.lua

@@ -1,9 +1,10 @@
 require("zk.cmp")
+require("zk.utils")
 
 vim.cmd([[
 let s:zk_preview_enabled = 0
 let s:live_server_job = -1
-au BufEnter /home/h/.zk/*.md silent exe '!echo "%" > /home/h/.zk/current-zettel.txt'
+execute 'au BufEnter' g:zk_path . '/*.md' 'silent exe "!echo %" ">" g:zk_path . "/current-zettel.txt"'
 function! ToggleZKPreview()
     if s:zk_preview_enabled == 1
         let s:zk_preview_enabled = 0
@@ -11,10 +12,10 @@ function! ToggleZKPreview()
         au! ZKPreview
     else
         let s:zk_preview_enabled = 1
-        let s:live_server_job = jobstart('live-server --watch=/home/h/.zk/current-zettel-content.html --open=current-zettel-content.html --port=8080')
+        let s:live_server_job = jobstart('live-server --watch=' . g:zk_path . '/current-zettel-content.html --open=current-zettel-content.html --port=8080')
         augroup ZKPreview
-          au BufEnter /home/h/.zk/*.md silent exe '!cat "%:r.html" > /home/h/.zk/current-zettel-content.html'
+          execute 'au BufEnter' g:zk_path . '/*.md' 'silent exe "!cat %:r.html" ">" g:zk_path . "/current-zettel-content.html"'
-          au BufWritePost /home/h/.zk/*.md silent exe '!make && cat "%:r.html" > /home/h/.zk/current-zettel-content.html'
+          execute 'au BufWritePost' g:zk_path . '/*.md' 'silent exe "!make && cat %:r.html" ">" g:zk_path . "/current-zettel-content.html"'
         augroup END
     endif
 endfunction

dots/.config/nvim/lua/zk/utils.lua

@@ -0,0 +1,2 @@
+vim.g.zk_path = os.getenv("ZK_PATH") or (os.getenv("HOME") .. "/.zk")
+return vim.g.zk_path

dots/.config/tmux/hooks/tmux.ssh.conf

@@ -1 +0,0 @@
-set -g status-style bg=colour12,fg=colour0

dots/.config/tmux/tmux.conf

@@ -70,8 +70,6 @@ set -g status-right '#(uptime | cut -f 4-5 -d " " | cut -f 1 -d ",") %a %l:%M:%S
 
 set -g default-terminal "tmux-256color"
 
-set-hook -g after-new-session 'if -F "#{==:#{session_name},ssh}" "source ${XDG_CONFIG_HOME}/tmux/hooks/tmux.ssh.conf" "source ${XDG_CONFIG_HOME}/tmux/hooks/tmux.regular.conf"'
-
 # Vi copypaste mode
 if-shell "test '\( #{$TMUX_VERSION_MAJOR} -eq 2 -a #{$TMUX_VERSION_MINOR} -ge 4 \)'" 'bind-key -Tcopy-mode-vi v send -X begin-selection; bind-key -Tcopy-mode-vi y send -X copy-selection-and-cancel'
 if-shell '\( #{$TMUX_VERSION_MAJOR} -eq 2 -a #{$TMUX_VERSION_MINOR} -lt 4\) -o #{$TMUX_VERSION_MAJOR} -le 1' 'bind-key -t vi-copy v begin-selection; bind-key -t vi-copy y copy-selection'

dots/.local/share/task/hooks/on-add.limit.py

@@ -1,29 +0,0 @@
-#!/usr/bin/env python3
-import sys
-import json
-
-SLOTS_FILE = "/home/h/.local/share/task/add_slots"
-
-def get_slots():
-    try:
-        with open(SLOTS_FILE, "r") as f:
-            return int(f.read().strip())
-    except:
-        return 0
-
-slots = get_slots()
-
-if slots <= 0:
-    print(f"Cannot add task: No slots available (0/{slots}).")
-    print("Delete or complete a task first to earn an add slot.")
-    sys.exit(1)
-
-with open(SLOTS_FILE, "w") as f:
-    f.write(str(slots - 1))
-
-print(f"Task added. Slots remaining: {slots - 1}")
-
-for line in sys.stdin:
-    task = json.loads(line)
-    print(json.dumps(task))
-    sys.exit(0)

dots/.local/share/task/hooks/on-modify.limit.py

@@ -1,34 +0,0 @@
-#!/usr/bin/env python3
-import sys
-import json
-
-SLOTS_FILE = "/home/h/.local/share/task/add_slots"
-
-def get_slots():
-    try:
-        with open(SLOTS_FILE, "r") as f:
-            return int(f.read().strip())
-    except:
-        return 0
-
-data = sys.stdin.read().strip().split("\n")
-if len(data) < 2:
-    for line in data:
-        if line:
-            print(line)
-    sys.exit(0)
-
-old_task = json.loads(data[0])
-new_task = json.loads(data[1])
-
-was_pending = old_task.get("status") == "pending"
-is_not_pending = new_task.get("status") in ("completed", "deleted")
-
-if was_pending and is_not_pending:
-    slots = get_slots() + 1
-    with open(SLOTS_FILE, "w") as f:
-        f.write(str(slots))
-    print(f"Slot earned! Total slots: {slots}")
-
-print(json.dumps(new_task))
-sys.exit(0)

flake.lock

@@ -38,11 +38,11 @@
     "base16-helix": {
       "flake": false,
       "locked": {
-        "lastModified": 1760703920,
+        "lastModified": 1776754714,
-        "narHash": "sha256-m82fGUYns4uHd+ZTdoLX2vlHikzwzdu2s2rYM2bNwzw=",
+        "narHash": "sha256-E3OAK27smtATTmX45uoTSRsVD+Y+ZiVVfgM/tjpbtYg=",
         "owner": "tinted-theming",
         "repo": "base16-helix",
-        "rev": "d646af9b7d14bff08824538164af99d0c521b185",
+        "rev": "4d508123037e7851ad36ebf7d9c48b0e9e1eb581",
         "type": "github"
       },
       "original": {
@@ -121,11 +121,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1774843378,
+        "lastModified": 1778040175,
-        "narHash": "sha256-8QLbY8F7UdxeQaW0KUVgr1/YPIupe+1lGjS5joR+ZCw=",
+        "narHash": "sha256-SSXJp3BMjO2LrW/VLjNdGGcjd3RFEyV4FemYA6OGrYw=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "0a31b668e3ebb599f95dc518076d709e8dddb57c",
+        "rev": "3bd76b0f41e65661866bddcac57ebe83aeadb581",
         "type": "gitlab"
       },
       "original": {
@@ -138,11 +138,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1764873433,
+        "lastModified": 1776136500,
-        "narHash": "sha256-1XPewtGMi+9wN9Ispoluxunw/RwozuTRVuuQOmxzt+A=",
+        "narHash": "sha256-r0gN2brVWA351zwMV0Flmlcd6SGMvYqFbvC3DfKFM8Y=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "f7ffd917ac0d253dbd6a3bf3da06888f57c69f92",
+        "rev": "0f8ba203d475587f477e7ae12661bd8459e225b7",
         "type": "github"
       },
       "original": {
@@ -213,11 +213,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767609335,
+        "lastModified": 1775087534,
-        "narHash": "sha256-feveD98mQpptwrAEggBQKJTYbvwwglSbOv53uCfH9PY=",
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "250481aafeb741edfe23d29195671c19b36b6dca",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
         "type": "github"
       },
       "original": {
@@ -284,11 +284,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775036584,
+        "lastModified": 1776796298,
-        "narHash": "sha256-zW0lyy7ZNNT/x8JhzFHBsP2IPx7ATZIPai4FJj12BgU=",
+        "narHash": "sha256-PcRvlWayisPSjd0UcRQbhG8Oqw78AcPE6x872cPRHN8=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "4e0eb042b67d863b1b34b3f64d52ceb9cd926735",
+        "rev": "3cfd774b0a530725a077e17354fbdb87ea1c4aad",
         "type": "github"
       },
       "original": {
@@ -321,20 +321,18 @@
     "gnome-shell": {
       "flake": false,
       "locked": {
-        "host": "gitlab.gnome.org",
         "lastModified": 1767737596,
         "narHash": "sha256-eFujfIUQDgWnSJBablOuG+32hCai192yRdrNHTv0a+s=",
         "owner": "GNOME",
         "repo": "gnome-shell",
         "rev": "ef02db02bf0ff342734d525b5767814770d85b49",
-        "type": "gitlab"
+        "type": "github"
       },
       "original": {
-        "host": "gitlab.gnome.org",
         "owner": "GNOME",
-        "ref": "gnome-49",
         "repo": "gnome-shell",
-        "type": "gitlab"
+        "rev": "ef02db02bf0ff342734d525b5767814770d85b49",
+        "type": "github"
       }
     },
     "home-manager": {
@@ -344,11 +342,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1775047159,
+        "lastModified": 1778009629,
-        "narHash": "sha256-UWM4VZvfKaPwA9FMu7iZha5YAE8vsEtUazk+rFxmbTY=",
+        "narHash": "sha256-nUoQtf4Zq7DRYJrfv904hjrxjAlWVP6a1pNNFKx3FCg=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "1ce9e62690dfdd7e76bd266ccb9a887778410eb2",
+        "rev": "00ed86e58bb6979a7921859fd1615d19382eac5c",
         "type": "github"
       },
       "original": {
@@ -400,10 +398,10 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1773999602,
+        "lastModified": 1776723456,
-        "narHash": "sha256-Th4RuCEPHC8y1w/wrW9OSv9nAJ3/NSZ3MJ4DHhCXCKE=",
+        "narHash": "sha256-GBbbm05oXYqSZ2EgxQPsNpTKl16wNhvrlUxdmv0FbSU=",
         "ref": "main",
-        "rev": "6f4b099a0c5ad1cca97f4ba1a665faaaed367f13",
+        "rev": "135b681d24af6ee4508bbf7c657982d7be8743d4",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/hektor/nix-secrets"
@@ -417,11 +415,11 @@
     },
     "nixCats": {
       "locked": {
-        "lastModified": 1770584904,
+        "lastModified": 1777273601,
-        "narHash": "sha256-9Zaz8lbKF2W9pwXZEnbiGsicHdBoU+dHt3Wv3mCJoZ8=",
+        "narHash": "sha256-xBUa8Tl9V7IXI+VmLEuDc81La/EhoSn1C3EVSnJ3cfU=",
         "owner": "BirdeeHub",
         "repo": "nixCats-nvim",
-        "rev": "538fdde784d2909700d97a8ef307783b33a86fb1",
+        "rev": "f69ea013e328841a7def7037ed59788a76be8816",
         "type": "github"
       },
       "original": {
@@ -453,11 +451,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1774933469,
+        "lastModified": 1777917524,
-        "narHash": "sha256-OrnCQeUO2bqaWUl0lkDWyGWjKsOhtCyd7JSfTedQNUE=",
+        "narHash": "sha256-k+LVe9YaO2BEPB9AaCtTtOMCeGi4dxDo6gt4Un3qoPY=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "f4c4c2c0c923d7811ac2a63ccc154767e4195337",
+        "rev": "df7783100babf59001340a7a874ba3824e441ecb",
         "type": "github"
       },
       "original": {
@@ -469,11 +467,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1774709303,
+        "lastModified": 1777954456,
-        "narHash": "sha256-D3Q07BbIA2KnTcSXIqqu9P586uWxN74zNoCH3h2ESHg=",
+        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8110df5ad7abf5d4c0f6fb0f8f978390e77f9685",
+        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
         "type": "github"
       },
       "original": {
@@ -511,11 +509,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1767810917,
+        "lastModified": 1777598946,
-        "narHash": "sha256-ZKqhk772+v/bujjhla9VABwcvz+hB2IaRyeLT6CFnT0=",
+        "narHash": "sha256-X239dAGaU1+gfDj8jKH8GzlqKMcxaVfXOio+uzBOkeE=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "dead29c804adc928d3a69dfe7f9f12d0eec1f1a4",
+        "rev": "5d55af01c0f86be583931fe99207fc56c14134b3",
         "type": "github"
       },
       "original": {
@@ -567,11 +565,11 @@
     "plugins-helm-ls-nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1768584652,
+        "lastModified": 1773934114,
-        "narHash": "sha256-jnMc87OjURNcqsva0npYgVyUrWc5C6L7yHpNvt9eSmg=",
+        "narHash": "sha256-8trqFsA7nTKSdtkiAL0Sa9bXjh5ONtAqN7XNE/B8ukM=",
         "owner": "qvalentin",
         "repo": "helm-ls.nvim",
-        "rev": "f0b9a1723890971a6d84890b50dbf5f40974ea1b",
+        "rev": "20df43509b02a3ce3c6b3eee254d6e2bffa9a370",
         "type": "github"
       },
       "original": {
@@ -667,11 +665,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1774910634,
+        "lastModified": 1777944972,
-        "narHash": "sha256-B+rZDPyktGEjOMt8PcHKYmgmKoF+GaNAFJhguktXAo0=",
+        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "19bf3d8678fbbfbc173beaa0b5b37d37938db301",
+        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
         "type": "github"
       },
       "original": {
@@ -710,18 +708,17 @@
         ],
         "nur": "nur",
         "systems": "systems_2",
-        "tinted-foot": "tinted-foot",
         "tinted-kitty": "tinted-kitty",
         "tinted-schemes": "tinted-schemes",
         "tinted-tmux": "tinted-tmux",
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1774897726,
+        "lastModified": 1777835090,
-        "narHash": "sha256-k/H2/oyex6GEC6uYXYetrboFQeTmX1Ouwv/zaW7b/Z0=",
+        "narHash": "sha256-VLH8zPweblCOvpnQXp4fVs7f6Q79YhXF5XFKlOrvIFk=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "9b4a5eb409ceac2dd6ad495c7988e189a418cd30",
+        "rev": "7989a1054b01153212dede6005abfd1576b8328c",
         "type": "github"
       },
       "original": {
@@ -760,23 +757,6 @@
         "type": "github"
       }
     },
-    "tinted-foot": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1726913040,
-        "narHash": "sha256-+eDZPkw7efMNUf3/Pv0EmsidqdwNJ1TaOum6k7lngDQ=",
-        "owner": "tinted-theming",
-        "repo": "tinted-foot",
-        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
-        "type": "github"
-      },
-      "original": {
-        "owner": "tinted-theming",
-        "repo": "tinted-foot",
-        "rev": "fd1b924b6c45c3e4465e8a849e67ea82933fcbe4",
-        "type": "github"
-      }
-    },
     "tinted-kitty": {
       "flake": false,
       "locked": {
@@ -796,11 +776,11 @@
     "tinted-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1767710407,
+        "lastModified": 1777041405,
-        "narHash": "sha256-+W1EB79Jl0/gm4JqmO0Nuc5C7hRdp4vfsV/VdzI+des=",
+        "narHash": "sha256-BAGZ7ObFV/9Z61OJZun7ifPyhkuHqNuW1QIhQ8LuzCo=",
         "owner": "tinted-theming",
         "repo": "schemes",
-        "rev": "2800e2b8ac90f678d7e4acebe4fa253f602e05b2",
+        "rev": "5f868b3a338b6904c47f3833b9c411be641983a8",
         "type": "github"
       },
       "original": {
@@ -812,11 +792,11 @@
     "tinted-tmux": {
       "flake": false,
       "locked": {
-        "lastModified": 1767489635,
+        "lastModified": 1777169200,
-        "narHash": "sha256-e6nnFnWXKBCJjCv4QG4bbcouJ6y3yeT70V9MofL32lU=",
+        "narHash": "sha256-h7dDbIzP5hDr9v97w9PL6jdAgXawmj6krcH+959rqpU=",
         "owner": "tinted-theming",
         "repo": "tinted-tmux",
-        "rev": "3c32729ccae99be44fe8a125d20be06f8d7d8184",
+        "rev": "f798c2dce44ef815bb6b8f05a82135c7942d35ac",
         "type": "github"
       },
       "original": {
@@ -828,11 +808,11 @@
     "tinted-zed": {
       "flake": false,
       "locked": {
-        "lastModified": 1767488740,
+        "lastModified": 1777463218,
-        "narHash": "sha256-wVOj0qyil8m+ouSsVZcNjl5ZR+1GdOOAooAatQXHbuU=",
+        "narHash": "sha256-Bhkozqtq3BKLqWTlmKm8uAptfX4aRGI8QX3eEL54Vpc=",
         "owner": "tinted-theming",
         "repo": "base16-zed",
-        "rev": "11abb0b282ad3786a2aae088d3a01c60916f2e40",
+        "rev": "5768d08ed2e7944a26a958868cdb073cb8856dae",
         "type": "github"
       },
       "original": {

flake.nix

@@ -70,16 +70,16 @@
       };
     in
     {
-      nix.nixPath = [
-        "nixpkgs=${inputs.nixpkgs}"
-      ]; # <https://github.com/nix-community/nixd/blob/main/nixd/docs/configuration.md>
       nixosConfigurations =
         (lib.genAttrs hostDirNames (
           host:
           nixpkgs.lib.nixosSystem {
             modules = [
               ./hosts/${host}
-              { nixpkgs.hostPlatform = import ./hosts/${host}/system.nix; }
+              {
+                nixpkgs.hostPlatform = (myUtils.hostMeta ./hosts/${host}).system;
+                host.name = host;
+              }
             ];
             specialArgs = {
               inherit

home/hosts/andromache/default.nix

@@ -16,6 +16,7 @@
     ../../modules/cloud
     ../../modules/comms
     ../../modules/desktop/niri
+    ../../modules/devenv
     ../../modules/direnv
     ../../modules/git
     ../../modules/k8s/k9s.nix
@@ -24,10 +25,13 @@
     ../../modules/nvim
     ../../modules/pandoc
     ../../modules/photography
+    ../../modules/secrets
     ../../modules/shell
     ../../modules/ssh
     ../../modules/taskwarrior
     ../../modules/terminal
+    ../../modules/zk
+    ../../modules/torrenting
   ];
 
   home = {
@@ -43,13 +47,18 @@
     printing.enable = true;
     modeling.enable = true;
   };
-  ai-tools.opencode.enable = true;
+  ai-tools = {
+    claude-code.enable = true;
+    opencode.enable = true;
+  };
   browser.primary = "librewolf";
   cloud.hetzner.enable = true;
   comms.signal.enable = true;
   git.github.enable = true;
   shell.bash.aliases.lang-js = true;
   shell.bash.addBinToPath = true;
+  torrenting.enable = true;
+  zk.enable = true;
 
   programs = {
     home-manager.enable = true;

home/hosts/astyanax/default.nix

@@ -15,6 +15,7 @@
     ../../modules/cloud
     ../../modules/comms
     ../../modules/desktop/niri
+    ../../modules/devenv
     ../../modules/direnv
     ../../modules/git
     ../../modules/k8s/k9s.nix
@@ -23,6 +24,7 @@
     ../../modules/nfc
     ../../modules/nvim
     ../../modules/pandoc
+    ../../modules/secrets
     ../../modules/shell
     ../../modules/ssh
     ../../modules/taskwarrior
@@ -35,11 +37,16 @@
     homeDirectory = "/home/${config.host.username}";
   };
 
-  xdg.userDirs.createDirectories = false;
+  xdg.userDirs = {
-  xdg.userDirs.download = "${config.home.homeDirectory}/dl";
+    enable = false;
+    createDirectories = false;
+  };
 
   modules."3d".printing.enable = true;
-  ai-tools.opencode.enable = true;
+  ai-tools = {
+    claude-code.enable = true;
+    opencode.enable = true;
+  };
   browser.primary = "librewolf";
   cloud.hetzner.enable = true;
   comms.signal.enable = true;

home/hosts/work/default.nix

@@ -5,9 +5,6 @@
   ...
 }:
 
-let
-  username = "hektor";
-in
 {
   imports = [
     inputs.sops-nix.homeManagerModules.sops
@@ -21,6 +18,7 @@ in
     ../../modules/database
     ../../modules/dconf
     ../../modules/desktop/niri
+    ../../modules/devenv
     ../../modules/direnv
     ../../modules/docker
     ../../modules/git
@@ -46,12 +44,18 @@ in
 
   nixpkgs.config.allowUnfree = true;
 
-  xdg.systemDirs.config = [ "/etc/xdg" ];
+  xdg = {
+    systemDirs.config = [ "/etc/xdg" ];
+    userDirs = {
+      createDirectories = false;
+      download = "${config.home.homeDirectory}/dl";
+    };
+  };
 
   home = {
     stateVersion = "25.05";
-    inherit username;
+    username = "hektor";
-    homeDirectory = "/home/${username}";
+    homeDirectory = "/home/${config.home.username}";
   };
 
   targets.genericLinux.nixGL = {
@@ -69,8 +73,11 @@ in
     tirith.enable = true;
     opencode.enable = true;
   };
-  database.mssql.enable = true;
+  database = {
-  database.postgresql.enable = true;
+    mssql.enable = true;
+    postgresql.enable = true;
+    redis.enable = true;
+  };
   git.github.enable = true;
   git.gitlab.enable = true;
   secrets.vault.enable = true;

home/modules/ai-tools/claude-code.nix

@@ -0,0 +1,60 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.ai-tools.claude-code;
+  rtk-version = "0.18.1";
+in
+{
+  options.ai-tools.claude-code.enable = lib.mkEnableOption "claude code with rtk and ccline";
+
+  config = lib.mkIf cfg.enable {
+    programs.claude-code.enable = true;
+
+    home.packages = with pkgs; [
+      (stdenv.mkDerivation {
+        name = "ccline";
+        src = fetchurl {
+          url = "https://github.com/Haleclipse/CCometixLine/releases/download/v1.0.8/ccline-linux-x64.tar.gz";
+          hash = "sha256-Joe3Dd6uSMGi66QT6xr2oY/Tz8rA5RuKa6ckBVJIzI0=";
+        };
+        unpackPhase = "tar xzf $src";
+        installPhase = ''
+          mkdir -p $out/bin
+          cp ccline $out/bin/
+          chmod +x $out/bin/ccline
+        '';
+        meta = {
+          description = "CCometixLine Linux x64 CLI (Claude Code statusline)";
+          homepage = "https://github.com/Haleclipse/CCometixLine";
+          license = lib.licenses.mit;
+          platforms = [ "x86_64-linux" ];
+        };
+      })
+      (stdenv.mkDerivation {
+        name = "rtk-${rtk-version}";
+        version = rtk-version;
+        src = fetchurl {
+          url = "https://github.com/rtk-ai/rtk/releases/download/v${rtk-version}/rtk-x86_64-unknown-linux-gnu.tar.gz";
+          hash = "sha256-XoTia5K8b00OzcKYCufwx8ApkAS31DxUCpGSU0jFs2Q=";
+        };
+        unpackPhase = "tar xzf $src";
+        installPhase = ''
+          mkdir -p $out/bin
+          cp rtk $out/bin/
+          chmod +x $out/bin/rtk
+        '';
+        meta = {
+          description = "RTK - AI coding tool enhancer";
+          homepage = "https://www.rtk-ai.app";
+          license = lib.licenses.mit;
+          platforms = [ "x86_64-linux" ];
+        };
+      })
+      mcp-nixos
+    ];
+  };
+}

home/modules/ai-tools/default.nix

@@ -1,116 +1,8 @@
 {
-  lib,
+  imports = [
-  config,
+    ./claude-code.nix
-  pkgs,
+    ./opencode.nix
-  ...
+    ./skills.nix
-}:
+    ./tirith.nix
-let
-  cfg = config.ai-tools;
-  rtk-version = "0.18.1";
-in
-{
-  options.ai-tools = {
-    claude-code.enable = lib.mkEnableOption "claude code with rtk and ccline";
-    tirith.enable = lib.mkEnableOption "tirith shell security guard";
-    opencode.enable = lib.mkEnableOption "opencode";
-  };
-
-  config = lib.mkMerge [
-    (lib.mkIf cfg.claude-code.enable {
-      home.packages = with pkgs; [
-        claude-code
-        (pkgs.stdenv.mkDerivation {
-          name = "ccline";
-          src = pkgs.fetchurl {
-            url = "https://github.com/Haleclipse/CCometixLine/releases/download/v1.0.8/ccline-linux-x64.tar.gz";
-            hash = "sha256-Joe3Dd6uSMGi66QT6xr2oY/Tz8rA5RuKa6ckBVJIzI0=";
-          };
-
-          unpackPhase = ''
-            tar xzf $src
-          '';
-
-          installPhase = ''
-            mkdir -p $out/bin
-            cp ccline $out/bin/
-            chmod +x $out/bin/ccline
-          '';
-
-          meta = with pkgs.lib; {
-            description = "CCometixLine Linux x64 CLI (Claude Code statusline)";
-            homepage = "https://github.com/Haleclipse/CCometixLine";
-            license = licenses.mit;
-            platforms = [ "x86_64-linux" ];
-          };
-        })
-        (pkgs.stdenv.mkDerivation {
-          name = "rtk-${rtk-version}";
-          version = rtk-version;
-          src = pkgs.fetchurl {
-            url = "https://github.com/rtk-ai/rtk/releases/download/v${rtk-version}/rtk-x86_64-unknown-linux-gnu.tar.gz";
-            hash = "sha256-XoTia5K8b00OzcKYCufwx8ApkAS31DxUCpGSU0jFs2Q=";
-          };
-
-          unpackPhase = ''
-            tar xzf $src
-          '';
-
-          installPhase = ''
-            mkdir -p $out/bin
-            cp rtk $out/bin/
-            chmod +x $out/bin/rtk
-          '';
-
-          meta = with pkgs.lib; {
-            description = "RTK - AI coding tool enhancer";
-            homepage = "https://www.rtk-ai.app";
-            license = licenses.mit;
-            platforms = [ "x86_64-linux" ];
-          };
-        })
-        mcp-nixos
-      ];
-    })
-    (lib.mkIf cfg.tirith.enable {
-      home.packages = with pkgs; [
-        tirith
-      ];
-    })
-    (lib.mkIf (cfg.tirith.enable && cfg.claude-code.enable) {
-      home.file.".claude/hooks/tirith-check.py" = {
-        source = ./tirith-check.py;
-        executable = true;
-      };
-
-      home.activation.tirith-claude-code = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
-        ${pkgs.tirith}/bin/tirith setup claude-code --with-mcp --scope user --force 2>/dev/null || true
-      '';
-    })
-    (lib.mkIf cfg.opencode.enable {
-      home.packages = with pkgs; [
-        opencode
-      ];
-      home.file.".config/opencode/opencode.json".text = builtins.toJSON {
-        "$schema" = "https://opencode.ai/config.json";
-        permission = {
-          external_directory = {
-            "/run/secrets/" = "deny";
-            "~/.config/sops/age/keys.txt" = "deny";
-            "~/.ssh/id_rsa" = "deny";
-            "~/.ssh/id_ed25519" = "deny";
-            "~/.ssh/id_ecdsa" = "deny";
-            "~/.ssh/id_dsa" = "deny";
-            "/etc/ssh/ssh_host_rsa_key" = "deny";
-            "/etc/ssh/ssh_host_ed25519_key" = "deny";
-            "/etc/ssh/ssh_host_ecdsa_key" = "deny";
-            "/etc/ssh/ssh_host_dsa_key" = "deny";
-          };
-          command = {
-            sops = "deny";
-          };
-        };
-        plugin = [ "@mohak34/opencode-notifier@latest" ];
-      };
-    })
   ];
 }

home/modules/ai-tools/opencode.nix

@@ -0,0 +1,40 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.ai-tools.opencode;
+in
+{
+  options.ai-tools.opencode = {
+    enable = lib.mkEnableOption "opencode";
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.packages = [ pkgs.opencode ];
+
+    home.file.".config/opencode/opencode.json".text = builtins.toJSON {
+      "$schema" = "https://opencode.ai/config.json";
+      permission = {
+        external_directory = {
+          "/run/secrets/" = "deny";
+          "~/.config/sops/age/keys.txt" = "deny";
+          "~/.ssh/id_rsa" = "deny";
+          "~/.ssh/id_ed25519" = "deny";
+          "~/.ssh/id_ecdsa" = "deny";
+          "~/.ssh/id_dsa" = "deny";
+          "/etc/ssh/ssh_host_rsa_key" = "deny";
+          "/etc/ssh/ssh_host_ed25519_key" = "deny";
+          "/etc/ssh/ssh_host_ecdsa_key" = "deny";
+          "/etc/ssh/ssh_host_dsa_key" = "deny";
+        };
+        command = {
+          sops = "deny";
+        };
+      };
+      plugin = [ "@mohak34/opencode-notifier@latest" ];
+    };
+  };
+}

home/modules/ai-tools/skills.nix

@@ -0,0 +1,49 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.ai-tools.claude-code;
+
+  skillType = lib.types.submodule {
+    options = {
+      owner = lib.mkOption { type = lib.types.str; };
+      repo = lib.mkOption { type = lib.types.str; };
+      rev = lib.mkOption { type = lib.types.str; };
+      hash = lib.mkOption { type = lib.types.str; };
+      skill = lib.mkOption { type = lib.types.str; };
+    };
+  };
+
+  fetchSkill =
+    skill:
+    let
+      src = pkgs.fetchFromGitHub {
+        inherit (skill)
+          owner
+          repo
+          rev
+          hash
+          ;
+      };
+    in
+    {
+      name = ".claude/skills/${skill.skill}";
+      value = {
+        source = "${src}/${skill.skill}";
+        recursive = true;
+      };
+    };
+in
+{
+  options.ai-tools.claude-code.skills = lib.mkOption {
+    type = lib.types.listOf skillType;
+    default = [ ];
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.file = builtins.listToAttrs (map fetchSkill cfg.skills);
+  };
+}

home/modules/ai-tools/tirith.nix

@@ -0,0 +1,30 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.ai-tools.tirith;
+in
+{
+  options.ai-tools.tirith = {
+    enable = lib.mkEnableOption "tirith shell security guard";
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      home.packages = [ pkgs.tirith ];
+    })
+    (lib.mkIf (cfg.enable && config.ai-tools.claude-code.enable) {
+      home.file.".claude/hooks/tirith-check.py" = {
+        source = ./tirith-check.py;
+        executable = true;
+      };
+
+      home.activation.tirith-claude-code = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+        ${pkgs.tirith}/bin/tirith setup claude-code --with-mcp --scope user --force 2>/dev/null || true
+      '';
+    })
+  ];
+}

home/modules/anki/default.nix

@@ -4,13 +4,23 @@
   pkgs,
   myUtils,
   osConfig ? null,
+  inputs ? null,
   ...
 }:
 
 let
   sops = myUtils.sopsAvailability config osConfig;
+  standalone = osConfig == null;
 in
-{
+lib.optionalAttrs standalone {
+  sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
+    anki = [
+      "sync-user"
+      "sync-key"
+    ];
+  };
+}
+// {
   warnings = lib.optional (
     !sops.available && config.programs.anki.enable
   ) "anki is enabled but sops secrets are not available. anki sync will not be configured.";
@@ -24,8 +34,8 @@ in
       review-heatmap
     ];
     profiles."User 1".sync = lib.mkIf sops.available {
-      usernameFile = "${sops.secrets."anki-sync-user".path}";
+      usernameFile = "${sops.secrets."anki/sync-user".path}";
-      keyFile = "${sops.secrets."anki-sync-key".path}";
+      keyFile = "${sops.secrets."anki/sync-key".path}";
     };
   };
 }

home/modules/browser/default.nix

@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:
 
 {
   options.browser = {
@@ -23,6 +23,8 @@
     };
   };
 
+  config.home.sessionVariables.BROWSER = config.browser.primary;
+
   imports = [
     ./firefox.nix
     ./librewolf.nix

home/modules/clipboard/default.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+
+{
+  home.packages = with pkgs; [
+    wl-clipboard
+  ];
+}

home/modules/database/default.nix

@@ -9,14 +9,18 @@
   options.database = {
     mssql.enable = lib.mkEnableOption "MSSQL";
     postgresql.enable = lib.mkEnableOption "PostgreSQL";
+    redis.enable = lib.mkEnableOption "Redis";
   };
 
   config = lib.mkMerge [
     (lib.mkIf config.database.mssql.enable {
-      home.packages = [ (config.nixgl.wrap pkgs.dbeaver-bin) ];
+      home.packages = with pkgs; [ (config.nixgl.wrap dbeaver-bin) ];
     })
     (lib.mkIf config.database.postgresql.enable {
-      home.packages = [ (config.nixgl.wrap pkgs.pgadmin4-desktopmode) ];
+      home.packages = with pkgs; [ (config.nixgl.wrap pgadmin4-desktopmode) ];
+    })
+    (lib.mkIf config.database.postgresql.enable {
+      home.packages = with pkgs; [ redis ];
     })
   ];
 }

home/modules/dconf/default.nix

@@ -3,6 +3,7 @@
 let
   terminal = "kitty";
   browser = config.browser.primary;
+  font = "${config.stylix.fonts.monospace.name} ${toString config.stylix.fonts.sizes.applications}";
 in
 {
   dconf.settings = {
@@ -40,9 +41,9 @@ in
       clock-show-weekday = true;
       color-scheme = "prefer-dark";
       enable-hot-corners = false;
-      font-name = "Iosevka Term SS08 12";
+      # font-name = font;
       locate-pointer = true;
-      monospace-font-name = "Iosevka Term SS08 12";
+      monospace-font-name = font;
     };
 
     "org/gnome/desktop/wm/keybindings" = {

home/modules/default.nix

@@ -6,25 +6,32 @@
 }:
 
 {
-  options.nixgl.wrap = lib.mkOption {
+  options = {
-    type = lib.types.functionTo lib.types.package;
+    host.username = lib.mkOption {
-    default = if config.lib ? nixGL then config.lib.nixGL.wrap else lib.id;
+      type = lib.types.str;
-    readOnly = true;
+      default = config.home.username;
-  };
+    };
 
-  options.wrapApp = lib.mkOption {
+    nixgl.wrap = lib.mkOption {
-    type = lib.types.raw;
+      type = lib.types.functionTo lib.types.package;
-    default =
+      default = if config.lib ? nixGL then config.lib.nixGL.wrap else lib.id;
-      pkg: flags:
+      readOnly = true;
-      if config.lib ? nixGL then
+    };
-        pkg.overrideAttrs (old: {
+
-          nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ pkgs.makeWrapper ];
+    wrapApp = lib.mkOption {
-          postInstall = (old.postInstall or "") + ''
+      type = lib.types.raw;
-            wrapProgram $out/bin/${pkg.meta.mainProgram} --add-flags "${flags}"
+      default =
-          '';
+        pkg: flags:
-        })
+        if config.lib ? nixGL then
-      else
+          pkg.overrideAttrs (old: {
-        pkg;
+            nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ pkgs.makeWrapper ];
-    readOnly = true;
+            postInstall = (old.postInstall or "") + ''
+              wrapProgram $out/bin/${pkg.meta.mainProgram} --add-flags "${flags}"
+            '';
+          })
+        else
+          pkg;
+      readOnly = true;
+    };
   };
 }

home/modules/desktop/niri/default.nix

@@ -2,6 +2,7 @@
 
 {
   imports = [
+    ../../clipboard
     ../../fuzzel
     ../../mako
     ../../shikane
@@ -12,7 +13,6 @@
     file.".config/niri/config.kdl".source = ./config.kdl;
     packages = with pkgs; [
       brightnessctl
-      wl-clipboard
       wlsunset
     ];
   };

home/modules/devenv/default.nix

@@ -0,0 +1,4 @@
+{ pkgs, ... }:
+{
+  home.packages = [ pkgs.devenv ];
+}

home/modules/k8s/default.nix

@@ -18,6 +18,10 @@
     enableAlias = true;
   };
 
+  home.shellAliases = {
+    k = "kubectl";
+  };
+
   imports = [
     ./helm.nix
     ./k9s.nix

home/modules/secrets/default.nix

@@ -6,7 +6,8 @@
   imports = [ ./vault.nix ];
 
   home.packages = with pkgs; [
-    sops
     age
+    age-plugin-yubikey # TODO: only needed when using Yubikey
+    sops
   ];
 }

home/modules/ssh/default.nix

@@ -1,18 +1,15 @@
 {
-  outputs,
+  myUtils,
   lib,
   pkgs,
   ...
 }:
 let
-  nixosConfigs = builtins.attrNames outputs.nixosConfigurations;
+  hostDir = ../../hosts;
-  homeConfigs = map (n: lib.last (lib.splitString "@" n)) (
+  hostNames = myUtils.dirNames hostDir;
-    builtins.attrNames outputs.homeConfigurations
-  );
-  allHosts = lib.unique (homeConfigs ++ nixosConfigs);
   hostsWithKeys = lib.filter (
-    hostname: builtins.pathExists ../../hosts/${hostname}/ssh_host.pub
+    hostname: builtins.pathExists (hostDir + "/${hostname}/ssh_host.pub")
-  ) allHosts;
+  ) hostNames;
 in
 {
   home.packages = with pkgs; [ sshfs ];
@@ -25,15 +22,14 @@ in
       lib.genAttrs hostsWithKeys (
         hostname:
         let
-          hostConfig = outputs.nixosConfigurations.${hostname}.config;
+          meta = myUtils.hostMeta (hostDir + "/${hostname}");
-          inherit (hostConfig.ssh) publicHostname username;
         in
         {
           host = hostname;
-          user = username;
+          user = meta.deployment.targetUser;
         }
-        // lib.optionalAttrs (publicHostname != "") {
+        // lib.optionalAttrs (meta.deployment.targetHost != "") {
-          hostname = publicHostname;
+          hostname = meta.deployment.targetHost;
         }
       )
       // {

home/modules/stylix/default.nix

@@ -25,21 +25,6 @@ in
       sansSerif = config.stylix.fonts.monospace;
       emoji = config.stylix.fonts.monospace;
     };
-    targets = {
+    targets = import ../../../modules/stylix/targets.nix;
-      firefox = {
-        profileNames = [ "default" ];
-        colorTheme.enable = true;
-      };
-      librewolf = {
-        profileNames = [ "default" ];
-        colorTheme.enable = true;
-      };
-      gnome.enable = false;
-      gtk.enable = false;
-      kitty = {
-        variant256Colors = true;
-      };
-      nixvim.enable = false;
-    };
   };
 }

home/modules/taskwarrior/default.nix

@@ -5,13 +5,35 @@
   dotsPath,
   myUtils,
   osConfig ? null,
+  inputs ? null,
   ...
 }:
 
 let
   sops = myUtils.sopsAvailability config osConfig;
+  standalone = osConfig == null;
 in
-{
+lib.optionalAttrs standalone {
+  sops = {
+    secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
+      taskwarrior = [
+        "sync-server-url"
+        "sync-server-client-id"
+        "sync-encryption-secret"
+      ];
+    };
+
+    templates."taskrc.d/sync" = {
+      content = ''
+        sync.server.url=${config.sops.placeholder."taskwarrior/sync-server-url"}
+        sync.server.client_id=${config.sops.placeholder."taskwarrior/sync-server-client-id"}
+        sync.encryption_secret=${config.sops.placeholder."taskwarrior/sync-encryption-secret"}
+      '';
+    };
+  };
+}
+// {
+
   warnings =
     lib.optional (!sops.available && config.programs.taskwarrior.enable)
       "taskwarrior is enabled, but sops templates are not available. taskwarrior sync will not be configured.";
@@ -36,14 +58,6 @@ in
     ".local/share/task/hooks/on-exit.sync.py" = {
       source = dotsPath + "/.local/share/task/hooks/on-exit.sync.py";
     };
-    ".local/share/task/hooks/on-add.limit.py" = {
-      source = dotsPath + "/.local/share/task/hooks/on-add.limit.py";
-      executable = true;
-    };
-    ".local/share/task/hooks/on-modify.limit.py" = {
-      source = dotsPath + "/.local/share/task/hooks/on-modify.limit.py";
-      executable = true;
-    };
     ".local/share/task/scripts/sync-and-notify.sh" = {
       source = dotsPath + "/.local/share/task/scripts/sync-and-notify.sh";
       executable = true;
@@ -56,6 +70,7 @@ in
     colorTheme = "dark-256";
     config = {
       recurrence = "off";
+      reserved.lines = 3; # without this I would have to scroll up 3 lines
     };
     extraConfig = lib.optionalString sops.available ''
       include ${sops.templates."taskrc.d/sync".path}

home/modules/tmux/default.nix

@@ -11,9 +11,5 @@
       enable = true;
       extraConfig = builtins.readFile (dotsPath + "/.config/tmux/tmux.conf");
     };
-
-    home.file = {
-      ".config/tmux/hooks/tmux.ssh.conf".source = dotsPath + "/.config/tmux/hooks/tmux.ssh.conf";
-    };
   };
 }

home/modules/torrenting/default.nix

@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.torrenting;
+in
+{
+  options.torrenting = {
+    enable = lib.mkEnableOption "transmission torrent client";
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.packages = with pkgs; [
+      transmission_4
+    ];
+  };
+}

home/modules/zk/default.nix

@@ -0,0 +1,45 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  cfg = config.zk;
+in
+{
+  options.zk = {
+    enable = lib.mkEnableOption "zettelkasten";
+    path = lib.mkOption {
+      type = lib.types.str;
+      default = config.home.homeDirectory + "/.zk";
+      description = "Path to the zettelkasten directory";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    home = {
+      sessionVariables.ZK_PATH = cfg.path;
+      packages = [
+        (pkgs.writeShellApplication {
+          name = "zk";
+          runtimeInputs = with pkgs; [ tmux ];
+          text = builtins.readFile ./scripts/zk.sh;
+        })
+
+        (pkgs.writeShellApplication {
+          name = "save-zk";
+          runtimeInputs = with pkgs; [ git ];
+          text = builtins.readFile ./scripts/save-zk.sh;
+        })
+
+        (pkgs.writeShellApplication {
+          name = "setup-zk";
+          runtimeInputs = with pkgs; [ gh ];
+          text = builtins.readFile ./scripts/setup-zk.sh;
+        })
+      ];
+    };
+  };
+}

home/modules/zk/scripts/save-zk.sh

@@ -0,0 +1,2 @@
+cd "$ZK_PATH" || { echo "No zettelkasten directory found"; exit 1; }
+git add . && git commit -m "Update" && git push

home/modules/zk/scripts/setup-zk.sh

@@ -0,0 +1,13 @@
+if [ ! -d "$ZK_PATH" ]; then
+  echo "[zk] Setting up zettelkasten"
+  gh repo clone zk "$ZK_PATH"
+else
+  echo "[zk] Zettelkasten already set up."
+fi
+
+read -p "Would you like open your zettelkasten? [y/N] " -n 1 -r
+echo
+
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+  $EDITOR "$ZK_PATH"
+fi

home/modules/zk/scripts/zk.sh

@@ -1,8 +1,6 @@
-#!/usr/bin/env bash
+current_zettel_path="$(cat "$ZK_PATH/current-zettel.txt")"
 
-current_zettel_path="$ZK_PATH/$(cat "$ZK_PATH/current-zettel.txt")"
+if [ -n "${TMUX:-}" ]; then
-
-if [ "$TERM_PROGRAM" = tmux ]; then
   cd "$ZK_PATH" && $EDITOR "$current_zettel_path"
 else
   echo 'Not in tmux'
@@ -12,13 +10,9 @@ else
   read -r -p 'Enter your choice: ' choice
   case $choice in
     1)
-      # Check if a tmux session is running with a window named zk
+      if tmux has-session -t zk 2>/dev/null; then
-      if tmux list-windows -F '#{window_name}' | grep -q zk; then
+        tmux attach -t zk
-        # Attach to the session containing the 'zk' window
-        session="$(tmux list-windows -F '#{window_name} #{session_name}' | grep zk | head -n 1 | awk '{ print $2 }')"
-        tmux attach -t "$session"
       else
-        # Create session with a window named 'zk' and start nvim
         tmux new-session -s zk -n zk -d
         tmux send-keys -t zk:zk "cd $ZK_PATH && $EDITOR $current_zettel_path" Enter
         tmux attach -t zk

hosts/andromache/default.nix

@@ -23,6 +23,8 @@ in
       inherit lib config;
       device = "/dev/nvme1n1";
     })
+    ../../modules/ai-tools
+    ../../modules/anki
     ../../modules/audio
     ../../modules/backups
     ../../modules/bluetooth
@@ -31,42 +33,34 @@ in
     ../../modules/firewall
     ../../modules/fonts
     ../../modules/gaming
-    (import ../../modules/networking { hostName = config.host.name; })
+    ../../modules/git
+    ../../modules/hcloud
     ../../modules/keyboard
     ../../modules/localization
+    ../../modules/networking
     ../../modules/nvidia
-    (import ../../modules/secrets { inherit lib inputs config; })
+    ../../modules/secrets
     ../../modules/ssh
     ../../modules/storage
     ../../modules/stylix
     ../../modules/syncthing
+    ../../modules/tailscale
+    ../../modules/taskwarrior
     ../../modules/users
     ../../modules/wol
     ../../modules/yubikey
-    ../../modules/hcloud
   ];
 
-  home-manager.users.${config.host.username} = import ../../home/hosts/andromache {
+  home-manager.users.${config.host.username} = import ../../home/hosts/${config.host.name};
-    inherit
-      inputs
-      config
-      pkgs
-      lib
-      ;
-  };
 
-  ssh.username = config.host.username;
+  secrets.nixSigningKey.enable = true;
-  ssh.authorizedHosts = [ "astyanax" ];
 
-  secrets = {
+  restic-backup.enable = true;
-    inherit (config.host) username;
+  tailscale.enable = true;
-    nixSigningKey.enable = true;
+
-  };
+  docker.enable = true;
-  docker.user = config.host.username;
+
-  hcloud = {
+  hcloud.enable = true;
-    enable = true;
-    inherit (config.host) username;
-  };
 
   disko.devices = {
     disk.data = {
@@ -98,7 +92,6 @@ in
 
   my.yubikey = {
     enable = false;
-    inherit (config.host) username;
     keys = [
       {
         handle = "<KeyHandle1>";

hosts/andromache/host.nix

@@ -1,6 +1,7 @@
 {
   host = {
     username = "h";
-    name = "andromache";
+    highRam = true;
+    admin = true;
   };
 }

hosts/andromache/meta.nix

@@ -1,4 +1,9 @@
 {
-  deployment.tags = [ "local" ];
+  system = "x86_64-linux";
+  deployment = {
+    tags = [ "local" ];
+    targetHost = "";
+    targetUser = "h";
+  };
   role = "desktop";
 }

hosts/andromache/system.nix

@@ -1 +0,0 @@
-"x86_64-linux"

hosts/astyanax/default.nix

@@ -16,48 +16,45 @@ in
     inputs.nixos-hardware.nixosModules.common-pc
     inputs.nixos-hardware.nixosModules.common-pc-ssd
     # inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-intel-gen7 (not available yet?)
+    inputs.sops-nix.nixosModules.sops
     ../../modules/common
     ../../modules/boot/bootloader.nix
     (import ../../modules/disko/zfs-encrypted-root.nix {
       inherit lib config;
       device = "/dev/nvme0n1";
     })
-    ../../modules/desktops/niri
+    ../../modules/ai-tools
+    ../../modules/anki
     ../../modules/audio
     ../../modules/backups
     ../../modules/bluetooth
-    ../../modules/keyboard
+    ../../modules/desktops/niri
-    (import ../../modules/networking { hostName = config.host.name; })
+    ../../modules/docker
-    ../../modules/users
+    ../../modules/firewall
-    ../../modules/localization
     ../../modules/fonts
+    ../../modules/git
+    ../../modules/keyboard
+    ../../modules/localization
+    ../../modules/networking
+    ../../modules/nfc
+    ../../modules/secrets
     ../../modules/ssh
     ../../modules/storage
     ../../modules/stylix
-    (import ../../modules/secrets { inherit lib inputs config; })
+    ../../modules/tailscale
-    ../../modules/docker
+    ../../modules/taskwarrior
-    ../../modules/nfc
+    ../../modules/users
-    ../../modules/firewall
+    ../../modules/yubikey
   ];
 
-  home-manager.users.${config.host.username} = import ../../home/hosts/astyanax {
+  home-manager.users.${config.host.username} = import ../../home/hosts/${config.host.name};
-    inherit
-      inputs
-      config
-      pkgs
-      lib
-      ;
-  };
 
-  ssh.username = config.host.username;
+  secrets.nixSigningKey.enable = true;
-  ssh.authorizedHosts = [ "andromache" ];
 
-  secrets = {
+  restic-backup.enable = true;
-    inherit (config.host) username;
+  tailscale.enable = true;
-    nixSigningKey.enable = true;
+  docker.enable = true;
-  };
+  nfc.enable = true;
-  docker.user = config.host.username;
-  nfc.user = config.host.username;
   desktop.ly.enable = true;
   audio.automation.enable = true;
 
@@ -100,6 +97,25 @@ in
 
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
 
+  my.yubikey = {
+    enable = true;
+    # inherit (config.host) username;
+    # keys = [
+    #   {
+    #     handle = "<KeyHandle1>";
+    #     userKey = "<UserKey1>";
+    #     coseType = "<CoseType1>";
+    #     options = "<Options1>";
+    #   }
+    #   {
+    #     handle = "<KeyHandle2>";
+    #     userKey = "<UserKey2>";
+    #     coseType = "<CoseType2>";
+    #     options = "<Options2>";
+    #   }
+    # ];
+  };
+
   services = {
     fwupd.enable = true;
     locate = {

hosts/astyanax/host.nix

@@ -1,6 +1,7 @@
 {
   host = {
     username = "h";
-    name = "astyanax";
+    highRam = true;
+    admin = true;
   };
 }

hosts/astyanax/meta.nix

@@ -1,4 +1,9 @@
 {
-  deployment.tags = [ "local" ];
+  system = "x86_64-linux";
+  deployment = {
+    tags = [ "local" ];
+    targetHost = "";
+    targetUser = "h";
+  };
   role = "laptop";
 }

hosts/astyanax/ssh_user.pub

@@ -1 +1 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzP1PjIDb1tN9nhPOK88HYDtTNk9SN9ZpEem2id49Fa h@astyanax
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIJApgl/+QaAtrg0OK5ihXasdcnDwzFo6qtHbgnqGFl25AAAABHNzaDo= h@astyanax

hosts/astyanax/system.nix

@@ -1 +0,0 @@
-"x86_64-linux"

hosts/eetion-02/default.nix

@@ -11,15 +11,6 @@
     ../../modules/ssh
   ];
 
-  ssh = {
-    inherit (config.host) username;
-    publicHostname = config.host.name;
-    authorizedHosts = [
-      "andromache"
-      "astyanax"
-    ];
-  };
-
   boot = {
     kernelParams = [
       "console=ttyS1,115200n8"

hosts/eetion-02/host.nix

@@ -1,6 +1,5 @@
 {
   host = {
     username = "h";
-    name = "eetion-02";
   };
 }

hosts/eetion-02/meta.nix

@@ -1,4 +1,9 @@
 {
-  deployment.tags = [ "arm" ];
+  system = "aarch64-linux";
+  deployment = {
+    tags = [ "arm" ];
+    targetHost = "eetion-02";
+    targetUser = "h";
+  };
   role = "embedded";
 }

hosts/eetion-02/system.nix

@@ -1 +0,0 @@
-"aarch64-linux"

hosts/eetion/default.nix

@@ -9,17 +9,11 @@
     ./host.nix
     ../../modules/common
     ../../modules/ssh
+    ../../modules/tailscale
     # ../../modules/uptime-kuma
   ];
 
-  ssh = {
+  tailscale.enable = true;
-    inherit (config.host) username;
-    publicHostname = config.host.name;
-    authorizedHosts = [
-      "andromache"
-      "astyanax"
-    ];
-  };
 
   boot.loader = {
     grub.enable = false;
@@ -98,7 +92,13 @@
     oci-containers = {
       backend = "podman";
       containers.actualbudget = {
-        image = "docker.io/actualbudget/actual-server:latest-alpine";
+        image = "docker.io/actualbudget/actual-server:26.4.0-alpine";
+        imageFile = pkgs.dockerTools.pullImage {
+          imageName = "docker.io/actualbudget/actual-server";
+          imageDigest = "sha256:996f3a59d297ec9699cb36ce558b61ab16d79c76763a5c3158d5387f71161499";
+          sha256 = "sha256-81On59dSFBNeIjNJEm93b01EldYga2liiztXhjiVoj4=";
+          finalImageTag = "26.4.0-alpine";
+        };
         ports = [ "5006:5006" ];
         volumes = [ "/var/lib/actualbudget:/data" ];
       };

hosts/eetion/host.nix

@@ -1,6 +1,5 @@
 {
   host = {
     username = "h";
-    name = "eetion";
   };
 }

hosts/eetion/meta.nix

@@ -1,4 +1,9 @@
 {
-  deployment.tags = [ "arm" ];
+  system = "aarch64-linux";
+  deployment = {
+    tags = [ "arm" ];
+    targetHost = "eetion";
+    targetUser = "h";
+  };
   role = "embedded";
 }

hosts/eetion/system.nix

@@ -1 +0,0 @@
-"aarch64-linux"

hosts/hecuba/default.nix

@@ -18,16 +18,7 @@
   ];
 
   networking.hostName = config.host.name;
-  ssh = {
+  docker.enable = true;
-    inherit (config.host) username;
-    publicHostname = "server.hektormisplon.xyz";
-    authorizedHosts = [
-      "andromache"
-      "astyanax"
-    ];
-  };
-
-  docker.user = config.host.username;
 
   fileSystems."/" = {
     device = "/dev/disk/by-label/nixos";
@@ -67,6 +58,7 @@
   environment.systemPackages = with pkgs; [
     vim
     git
+    kitty.terminfo
   ];
 
   services.fail2ban = {

hosts/hecuba/host.nix

@@ -1,6 +1,5 @@
 {
   host = {
     username = "username";
-    name = "hecuba";
   };
 }

hosts/hecuba/meta.nix

@@ -1,4 +1,9 @@
 {
-  deployment.tags = [ "cloud" ];
+  system = "x86_64-linux";
+  deployment = {
+    tags = [ "cloud" ];
+    targetHost = "server.hektormisplon.xyz";
+    targetUser = "username";
+  };
   role = "server";
 }

hosts/hecuba/system.nix

@@ -1 +0,0 @@
-"x86_64-linux"

hosts/vm/default.nix

@@ -1,8 +1,6 @@
 {
-  lib,
   inputs,
   config,
-  pkgs,
   ...
 }:
 {
@@ -12,30 +10,25 @@
     ./host.nix
     ./disk.nix
     ../../modules/common
-    ../../modules/boot/bootloader.nix
+    ../../modules/anki
-    ../../modules/keyboard
-    (import ../../modules/networking { hostName = config.host.name; })
-    ../../modules/users
     ../../modules/audio
-    ../../modules/localization
+    ../../modules/boot/bootloader.nix
-    ../../modules/x
     ../../modules/fonts
+    ../../modules/git
+    ../../modules/keyboard
+    ../../modules/localization
+    ../../modules/networking
+    ../../modules/ai-tools
     ../../modules/ssh
     ../../modules/storage
     ../../modules/stylix
-    (import ../../modules/secrets {
+    ../../modules/secrets
-      inherit lib inputs config;
+    ../../modules/taskwarrior
-    })
+    ../../modules/users
+    ../../modules/x
   ];
 
-  home-manager.users.${config.host.username} = import ../../home/hosts/vm {
+  home-manager.users.${config.host.username} = import ../../home/hosts/vm;
-    inherit inputs config pkgs;
-  };
-
-  networking.hostName = config.host.name;
-  ssh.username = config.host.username;
-
-  secrets.username = config.host.username;
 
   disko = {
     devices.disk.main = {

hosts/vm/host.nix

@@ -1,6 +1,5 @@
 {
   host = {
     username = "h";
-    name = "vm";
   };
 }

hosts/vm/meta.nix

@@ -1,4 +1,9 @@
 {
-  deployment.tags = [ "local" ];
+  system = "x86_64-linux";
+  deployment = {
+    tags = [ "local" ];
+    targetHost = "";
+    targetUser = "h";
+  };
   role = "vm";
 }

hosts/vm/system.nix

@@ -1 +0,0 @@
-"x86_64-linux"

images/sd-image-orange-pi-aarch64.nix

@@ -12,14 +12,14 @@ let
 in
 {
   imports = [
+    ../modules/common/host.nix
     ../modules/ssh
   ];
 
-  ssh.username = username;
+  host = {
-  ssh.authorizedHosts = [
+    inherit username;
-    "andromache"
+    name = "orange-pi";
-    "astyanax"
+  };
-  ];
 
   nix.settings.experimental-features = [
     "nix-command"

images/sd-image-raspberry-pi-aarch64.nix

@@ -12,14 +12,14 @@ let
 in
 {
   imports = [
+    ../modules/common/host.nix
     ../modules/ssh
   ];
 
-  ssh.username = username;
+  host = {
-  ssh.authorizedHosts = [
+    inherit username;
-    "andromache"
+    name = "raspberry-pi";
-    "astyanax"
+  };
-  ];
 
   boot.kernelParams = [
     "console=ttyS1,115200n8"

modules/ai-tools/default.nix

@@ -0,0 +1,25 @@
+{ config, ... }:
+
+let
+  inherit (config.host) username;
+  inherit (config.secrets) owner;
+in
+{
+  config = {
+    nixpkgs.allowedUnfree = [ "claude-code" ];
+    secrets.groups.opencode = [ "api-key" ];
+
+    sops.templates."opencode/auth.json" = {
+      inherit owner;
+      path = "/home/${username}/.local/share/opencode/auth.json";
+      content = ''
+        {
+          "zai-coding-plan": {
+            "type": "api",
+            "key": "${config.sops.placeholder."opencode/api-key"}"
+          }
+        }
+      '';
+    };
+  };
+}

modules/anki/default.nix

@@ -0,0 +1,6 @@
+{
+  config.secrets.groups.anki = [
+    "sync-user"
+    "sync-key"
+  ];
+}

modules/backups/default.nix

@@ -6,61 +6,48 @@
 
 let
   cfg = config.restic-backup;
-  inherit (config.secrets) sopsDir;
+  host = config.networking.hostName;
 in
 {
-  options = {
+  options.restic-backup = {
-    restic-backup = {
+    enable = lib.mkEnableOption "restic backups";
-      repository = lib.mkOption {
-        type = lib.types.str;
-        default = "b2:${config.sops.placeholder.b2-bucket-name}:${config.networking.hostName}";
-      };
 
-      passwordFile = lib.mkOption {
+    passwordFile = lib.mkOption {
-        type = lib.types.str;
+      type = lib.types.str;
-        default = config.sops.secrets.restic-password.path;
+      default = config.sops.secrets."restic/password".path;
-      };
+    };
 
-      paths = lib.mkOption {
+    paths = lib.mkOption {
-        type = lib.types.listOf lib.types.str;
+      type = lib.types.listOf lib.types.str;
-        default = [ "/home" ];
+      default = [ "/home" ];
-      };
     };
   };
 
-  config = {
+  config = lib.mkIf cfg.enable {
-    sops = {
+    secrets.groups = {
-      secrets = {
+      restic = [ "password" ];
-        restic-password = {
+      backblaze-b2 = [
-          sopsFile = "${sopsDir}/restic-password";
+        "bucket-name"
-        };
+        "account-id"
-        b2-bucket-name = {
+        "account-key"
-          sopsFile = "${sopsDir}/b2-bucket-name";
+      ];
-        };
+    };
-        b2-account-id = {
+
-          sopsFile = "${sopsDir}/b2-account-id";
+    sops.templates = {
-        };
+      "restic/repo-${host}" = {
-        b2-account-key = {
+        content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${host}";
-          sopsFile = "${sopsDir}/b2-account-key";
-        };
       };
-      templates = {
+      "restic/b2-env-${host}" = {
-        "restic/repo-${config.networking.hostName}" = {
+        content = ''
-          content = "b2:${config.sops.placeholder.b2-bucket-name}:${config.networking.hostName}";
+          B2_ACCOUNT_ID=${config.sops.placeholder."backblaze-b2/account-id"}
-        };
+          B2_ACCOUNT_KEY=${config.sops.placeholder."backblaze-b2/account-key"}
-        "restic/b2-env-${config.networking.hostName}" = {
+        '';
-          content = ''
-            B2_ACCOUNT_ID=${config.sops.placeholder.b2-account-id}
-            B2_ACCOUNT_KEY=${config.sops.placeholder.b2-account-key}
-          '';
-        };
       };
     };
 
     services.restic.backups.home = {
-      repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path;
+      repositoryFile = config.sops.templates."restic/repo-${host}".path;
-      inherit (cfg) passwordFile;
+      inherit (cfg) passwordFile paths;
-      inherit (cfg) paths;
       timerConfig = {
         OnCalendar = "daily";
         Persistent = true;
@@ -73,7 +60,7 @@ in
         "--keep-monthly 6"
         "--keep-yearly 1"
       ];
-      environmentFile = config.sops.templates."restic/b2-env-${config.networking.hostName}".path;
+      environmentFile = config.sops.templates."restic/b2-env-${host}".path;
     };
   };
 }

modules/boot/bootloader.nix

@@ -1,4 +1,11 @@
+{ config, ... }:
+
 {
-  boot.loader.systemd-boot.enable = true;
+  boot = {
-  boot.loader.efi.canTouchEfiVariables = true;
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    tmp.useTmpfs = config.host.highRam;
+  };
 }

modules/common/default.nix

@@ -25,6 +25,7 @@ in
     system.stateVersion = lib.mkDefault "25.05";
 
     nix = {
+      nixPath = [ "nixpkgs=${inputs.nixpkgs}" ]; # https://github.com/nix-community/nixd/blob/main/nixd/docs/configuration.md
       optimise = {
         automatic = true;
         dates = [ "05:00" ];
@@ -38,6 +39,9 @@ in
         "nix-command"
         "flakes"
       ];
+      settings.trusted-public-keys = [
+        "nix-signing-key:M6ouQRFl/bZ5QQrceQUyar6P7o8qg4wwVkxD1SSLL2k="
+      ];
     };
 
     system.autoUpgrade = {
@@ -69,6 +73,11 @@ in
           myUtils
           ;
       };
+      sharedModules = [
+        {
+          host.username = lib.mkDefault config.host.username;
+        }
+      ];
     };
   };
 }

modules/common/host.nix

@@ -9,5 +9,25 @@
     name = lib.mkOption {
       type = lib.types.str;
     };
+
+    timezone = lib.mkOption {
+      type = lib.types.str;
+      default = "Europe/Brussels";
+    };
+
+    locale = lib.mkOption {
+      type = lib.types.str;
+      default = "en_US.UTF-8";
+    };
+
+    highRam = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+
+    admin = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
   };
 }

modules/desktops/logind.nix

@@ -0,0 +1,7 @@
+{
+  services.logind.settings.Login = {
+    HandleLidSwitch = "suspend";
+    IdleAction = "suspend";
+    IdleActionSec = 1800;
+  };
+}

modules/desktops/niri/default.nix

@@ -1,9 +1,16 @@
-{ config, lib, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 
 let
   cfg = config.desktop;
 in
 {
+  imports = [ ../logind.nix ];
+
   options.desktop = {
     ly = {
       enable = lib.mkOption {
@@ -14,16 +21,39 @@ in
   };
 
   config = {
-    programs.niri.enable = true;
+    programs.niri = {
+      enable = true;
+      useNautilus = false;
+    };
+
+    xdg.portal = {
+      enable = true;
+      extraPortals = [
+        pkgs.xdg-desktop-portal-gtk
+      ];
+      config.niri.default = lib.mkForce [
+        "niri"
+        "gtk"
+      ];
+    };
+
+    #  error:
+    #  Failed assertions:
+    #  - h profile: xdg.portal: since you installed Home Manager via its NixOS module and
+    #  'home-manager.useUserPackages' is enabled, you need to add
+    #
+    #  environment.pathsToLink = [ `/share/applications` `/share/xdg-desktop-portal` ];
+    #
+    #  to your NixOS configuration so that the portal definitions and DE
+    #  provided configurations get linked.
+    environment.pathsToLink = [
+      "/share/applications"
+      "/share/xdg-desktop-portal"
+    ];
 
     services = {
+      gnome.gnome-keyring.enable = false;
       dbus.enable = true;
-      logind.settings.Login = {
-        HandleLidSwitch = "suspend";
-        IdleAction = "suspend";
-        IdleActionSec = 1800;
-      };
-
       displayManager.ly = lib.mkIf cfg.ly.enable {
         enable = true;
       };

modules/docker/default.nix

@@ -2,29 +2,17 @@
 
 let
   cfg = config.docker;
+  inherit (config.host) username;
 in
 {
   options.docker = {
+    enable = lib.mkEnableOption "docker";
     rootless = lib.mkOption {
       type = lib.types.bool;
       default = false;
     };
-    user = lib.mkOption {
-      type = lib.types.nullOr lib.types.str;
-      default = null;
-    };
   };
   config = lib.mkMerge [
-    {
-      warnings = lib.flatten [
-        (lib.optional (
-          cfg.rootless && cfg.user != null
-        ) "'virtualisation.docker.user' is ignored when rootless mode is enabled")
-        (lib.optional (
-          !cfg.rootless && cfg.user == null
-        ) "'virtualisation.docker.user' is not set (no user is added to the docker group)")
-      ];
-    }
     (lib.mkIf cfg.rootless {
       virtualisation.docker = {
         enable = false;
@@ -34,11 +22,9 @@ in
         };
       };
     })
-    (lib.mkIf (!cfg.rootless && cfg.user != null) {
+    (lib.mkIf (cfg.enable && !cfg.rootless) {
-      virtualisation.docker = {
+      virtualisation.docker.enable = true;
-        enable = true;
+      users.users.${username}.extraGroups = [ "docker" ];
-      };
-      users.users.${cfg.user}.extraGroups = [ "docker" ];
     })
   ];
 }

modules/gaming/default.nix

@@ -1,12 +1,50 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
 {
   nixpkgs.allowedUnfree = [
     "steam"
     "steam-unwrapped"
+    "lutris"
   ];
 
+  hardware.graphics = {
+    enable32Bit = true;
+    extraPackages = with pkgs; [
+      dxvk
+      vkd3d-proton
+    ];
+  };
+
   programs.steam = {
     enable = true;
     remotePlay.openFirewall = false;
     dedicatedServer.openFirewall = false;
   };
+
+  programs.gamemode.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    # lutris
+    mangohud
+  ];
+
+  home-manager.users.${config.host.username} = {
+    xdg.configFile."lutris/system.yml".text = lib.generators.toJSON { } {
+      system.game_path = "/home/${config.host.username}/games";
+    };
+  };
+
+  security.pam.loginLimits = [
+    {
+      domain = config.host.username;
+      type = "hard";
+      item = "nofile";
+      value = "524288";
+    }
+  ];
 }

modules/git/default.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  ...
+}:
+
+let
+  inherit (config.host) username;
+  owner = config.users.users.${username}.name;
+in
+{
+  config.sops.templates = {
+    ".gitconfig.email" = {
+      inherit owner;
+      path = "/home/${username}/.gitconfig.email";
+      content = ''
+        [user]
+          email = ${config.sops.placeholder."email/personal"}
+      '';
+    };
+    ".gitconfig.work.email" = {
+      inherit owner;
+      path = "/home/${username}/.gitconfig.work.email";
+      content = ''
+        [user]
+          email = ${config.sops.placeholder."email/work"}
+      '';
+    };
+  };
+}

modules/hcloud/default.nix

@@ -6,32 +6,26 @@
 
 let
   cfg = config.hcloud;
-  inherit (config.secrets) sopsDir;
+  inherit (config.host) username;
+  inherit (config.secrets) owner;
 in
 {
   options.hcloud = {
     enable = lib.mkEnableOption "hcloud CLI configuration";
-    username = lib.mkOption {
-      type = lib.types.str;
-      description = "Username for hcloud CLI configuration";
-    };
   };
 
   config = lib.mkIf cfg.enable {
-    sops.secrets.hcloud-token = {
+    secrets.groups.hcloud = [ "api-token" ];
-      sopsFile = "${sopsDir}/hcloud-token";
-      owner = config.users.users.${cfg.username}.name;
-    };
 
     sops.templates."hcloud/cli.toml" = {
-      owner = config.users.users.${cfg.username}.name;
+      inherit owner;
-      path = "/home/${cfg.username}/.config/hcloud/cli.toml";
+      path = "/home/${username}/.config/hcloud/cli.toml";
       content = ''
         active_context = "server"
 
         [[contexts]]
           name = "server"
-          token = "${config.sops.placeholder.hcloud-token}"
+          token = "${config.sops.placeholder."hcloud/api-token"}"
       '';
     };
   };

modules/localization/default.nix

@@ -1,4 +1,6 @@
+{ config, ... }:
+
 {
-  time.timeZone = "Europe/Brussels";
+  time.timeZone = config.host.timezone;
-  i18n.defaultLocale = "en_US.UTF-8";
+  i18n.defaultLocale = config.host.locale;
 }

modules/networking/default.nix

@@ -1,11 +1,8 @@
-{
+{ config, ... }:
-  hostName ? "nixos",
-  ...
-}:
 
 {
   networking = {
-    inherit hostName;
+    hostName = config.host.name;
     wireless.iwd.enable = true;
     networkmanager.wifi.backend = "iwd";
     nftables.enable = true;

modules/nfc/default.nix

@@ -2,15 +2,13 @@
 
 let
   cfg = config.nfc;
+  inherit (config.host) username;
 in
 {
   options.nfc = {
-    user = lib.mkOption {
+    enable = lib.mkEnableOption "NFC device access";
-      type = lib.types.nullOr lib.types.str;
-      default = null;
-    };
   };
-  config = lib.mkIf (cfg.user != null) {
+  config = lib.mkIf cfg.enable {
-    users.users.${cfg.user}.extraGroups = [ "dialout" ];
+    users.users.${username}.extraGroups = [ "dialout" ];
   };
 }

modules/secrets/default.nix

@@ -1,106 +1,78 @@
 {
   lib,
   inputs,
+  pkgs,
   config,
+  myUtils,
   ...
 }:
 
 let
   cfg = config.secrets;
+  inherit (config.host) username;
   inherit (cfg) sopsDir;
-  owner = config.users.users.${cfg.username}.name;
+  owner = config.users.users.${username}.name;
-
-  mkSecret = name: {
-    ${name} = {
-      sopsFile = "${sopsDir}/${name}";
-      inherit owner;
-    };
-  };
 in
 {
   imports = [ inputs.sops-nix.nixosModules.sops ];
 
   options = {
     secrets = {
-      username = lib.mkOption {
-        type = lib.types.str;
-      };
-
       sopsDir = lib.mkOption {
         type = lib.types.str;
         default = "${toString inputs.nix-secrets}/secrets";
       };
 
+      groups = lib.mkOption {
+        type = lib.types.attrsOf (lib.types.listOf lib.types.str);
+        default = { };
+      };
+
+      owner = lib.mkOption {
+        type = lib.types.unspecified;
+      };
+
       nixSigningKey = {
         enable = lib.mkEnableOption "nix signing key configuration";
-        name = lib.mkOption {
+      };
-          type = lib.types.str;
+
-          default = "${config.host.name}-nix-signing-key";
+      yubikey = {
-        };
+        enable = lib.mkEnableOption "set up Yubikey";
       };
     };
   };
 
   config = {
-    sops = {
+    secrets = {
-      age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt";
+      inherit owner;
-
+      groups = {
-      secrets = lib.mkMerge [
+        email = [
-        (mkSecret "taskwarrior-sync-server-url")
+          "personal"
-        (mkSecret "taskwarrior-sync-server-client-id")
+          "work"
-        (mkSecret "taskwarrior-sync-encryption-secret")
+        ];
-        (mkSecret "anki-sync-user")
+        nix = lib.optional cfg.nixSigningKey.enable "signing-key";
-        (mkSecret "anki-sync-key")
-        (mkSecret "email-personal")
-        (mkSecret "email-work")
-        (mkSecret "opencode-api-key")
-        (lib.mkIf cfg.nixSigningKey.enable (mkSecret cfg.nixSigningKey.name))
-      ];
-
-      templates = {
-        "taskrc.d/sync" = {
-          inherit owner;
-          content = ''
-            sync.server.url=${config.sops.placeholder.taskwarrior-sync-server-url}
-            sync.server.client_id=${config.sops.placeholder.taskwarrior-sync-server-client-id}
-            sync.encryption_secret=${config.sops.placeholder.taskwarrior-sync-encryption-secret}
-          '';
-        };
-
-        ".gitconfig.email" = {
-          inherit owner;
-          path = "/home/${cfg.username}/.gitconfig.email";
-          content = ''
-            [user]
-              email = ${config.sops.placeholder.email-personal}
-          '';
-        };
-        ".gitconfig.work.email" = {
-          inherit owner;
-          path = "/home/${cfg.username}/.gitconfig.work.email";
-          content = ''
-            [user]
-              email = ${config.sops.placeholder.email-work}
-          '';
-        };
-
-        "opencode/auth.json" = {
-          inherit owner;
-          path = "/home/${cfg.username}/.local/share/opencode/auth.json";
-          content = ''
-            {
-              "zai-coding-plan": {
-                "type": "api",
-                "key": "${config.sops.placeholder.opencode-api-key}"
-              }
-            }
-          '';
-        };
       };
     };
 
+    sops = {
+      # for yubikey, generate as follows:
+      # ```
+      # age-plugin-yubikey --identity > <keyfile-path>
+      # ```
+      age.keyFile = "/home/${username}/.config/sops/age/keys.txt";
+      secrets = myUtils.mkSopsSecrets sopsDir owner cfg.groups;
+    };
+
     nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [
-      config.sops.secrets.${cfg.nixSigningKey.name}.path
+      config.sops.secrets."nix/signing-key".path
     ];
+
+    services = {
+      pcscd.enable = true; # needed for age-plugin-yubikey?
+      udev.packages = lib.mkIf cfg.yubikey.enable [
+        pkgs.yubikey-personalization
+        pkgs.libfido2
+      ];
+    };
   };
 }

modules/ssh/authorized-keys.nix

@@ -1,28 +1,29 @@
-{ lib, config, ... }:
+{
+  lib,
+  config,
+  ...
+}:
+
+let
+  inherit (config.host) username;
+  adminHosts = (import ../../utils { inherit lib; }).adminHosts ../../hosts;
+in
 {
   options.ssh = {
     authorizedHosts = lib.mkOption {
       type = lib.types.listOf lib.types.str;
       default = [ ];
     };
-    username = lib.mkOption {
-      type = lib.types.str;
-      default = "h";
-    };
-    publicHostname = lib.mkOption {
-      type = lib.types.str;
-      default = "";
-    };
   };
 
   # auto generate authorized_keys from `authorizedHosts`
-  config.users.users.${config.ssh.username}.openssh.authorizedKeys.keys = lib.flatten (
+  config.users.users.${username}.openssh.authorizedKeys.keys = lib.flatten (
     map (
       hostname:
       let
         keyFile = ../../hosts/${hostname}/ssh_user.pub;
       in
       lib.optionals (builtins.pathExists keyFile) (lib.splitString "\n" (builtins.readFile keyFile))
-    ) config.ssh.authorizedHosts
+    ) ((builtins.filter (h: h != config.host.name) adminHosts) ++ config.ssh.authorizedHosts)
   );
 }

modules/ssh/extract-keys.nix

@@ -1,6 +1,6 @@
 { lib, config, ... }:
 let
-  inherit (config.ssh) username;
+  inherit (config.host) username;
 in
 {
   # auto extract SSH keys

modules/stylix/default.nix

@@ -30,20 +30,7 @@ in
 
   home-manager.sharedModules = [
     {
-      stylix.targets = {
+      stylix.targets = import ./targets.nix;
-        firefox = {
-          profileNames = [ "default" ];
-          colorTheme.enable = true;
-        };
-        librewolf = {
-          profileNames = [ "default" ];
-          colorTheme.enable = true;
-        };
-        kitty.variant256Colors = true;
-        gnome.enable = false;
-        gtk.enable = false;
-        nixvim.enable = false;
-      };
     }
   ];
 }

modules/stylix/targets.nix

@@ -0,0 +1,14 @@
+{
+  firefox = {
+    profileNames = [ "default" ];
+    colorTheme.enable = true;
+  };
+  librewolf = {
+    profileNames = [ "default" ];
+    colorTheme.enable = true;
+  };
+  kitty.variant256Colors = true;
+  gnome.enable = false;
+  gtk.enable = false;
+  nixvim.enable = false;
+}

modules/syncthing/default.nix

@@ -7,23 +7,18 @@
 with lib;
 
 let
-  cfg = config.my.syncthing;
+  inherit (config.host) username;
 in
 {
-  options.my.syncthing.username = mkOption {
-    type = types.str;
-    default = "h";
-  };
-
   config = {
-    users.groups.${cfg.username} = { };
+    users.groups.${username} = { };
-    users.users.${cfg.username}.extraGroups = [ cfg.username ];
+    users.users.${username}.extraGroups = [ username ];
 
     services.syncthing = {
       enable = true;
-      user = cfg.username;
+      user = username;
-      group = cfg.username;
+      group = username;
-      configDir = "/home/${cfg.username}/.local/state/syncthing";
+      configDir = "/home/${username}/.local/state/syncthing";
       openDefaultPorts = true;
     };
   };

modules/tailscale/default.nix

@@ -0,0 +1,19 @@
+{
+  lib,
+  config,
+  ...
+}:
+{
+  options.tailscale = {
+    enable = lib.mkEnableOption "tailscale";
+  };
+
+  config = lib.mkIf config.tailscale.enable {
+    services.tailscale = {
+      enable = true;
+      extraSetFlags = [ "--netfilter-mode=nodivert" ];
+      extraDaemonFlags = [ "--no-logs-no-support" ];
+      openFirewall = false;
+    };
+  };
+}

modules/taskwarrior/default.nix

@@ -0,0 +1,23 @@
+{ config, ... }:
+
+let
+  inherit (config.secrets) owner;
+in
+{
+  config = {
+    secrets.groups.taskwarrior = [
+      "sync-server-url"
+      "sync-server-client-id"
+      "sync-encryption-secret"
+    ];
+
+    sops.templates."taskrc.d/sync" = {
+      inherit owner;
+      content = ''
+        sync.server.url=${config.sops.placeholder."taskwarrior/sync-server-url"}
+        sync.server.client_id=${config.sops.placeholder."taskwarrior/sync-server-client-id"}
+        sync.encryption_secret=${config.sops.placeholder."taskwarrior/sync-encryption-secret"}
+      '';
+    };
+  };
+}

modules/users/default.nix

@@ -1,7 +1,9 @@
+{ config, ... }:
+
 {
-  users.users.h = {
+  users.users.${config.host.username} = {
     isNormalUser = true;
-    description = "h";
+    description = config.host.username;
     extraGroups = [ "wheel" ];
     initialPassword = "h";
   };