chore: update lockfile

.envrc

@@ -0,0 +1 @@
+use flake

.gitignore

@@ -9,4 +9,5 @@ result-*
 
 nixos-efi-vars.fd
 
-/.pre-commit-config.yaml
+.direnv/
+.pre-commit-config.yaml

deploy/colmena.nix

@@ -8,24 +8,25 @@ let
   utils = import ../utils { inherit lib; };
   hostDirNames = utils.dirNames ../hosts;
 
-  mkNode = hostname: meta: {
+  mkNode = hostname: tags: {
     imports = [ ../hosts/${hostname} ];
     deployment = {
-      inherit (meta.deployment) targetHost targetUser tags;
+      targetHost = self.nixosConfigurations.${hostname}.config.ssh.publicHostname;
-      buildOnTarget = builtins.any (t: t != "local" && t != "arm") meta.deployment.tags;
+      targetUser = self.nixosConfigurations.${hostname}.config.ssh.username;
+      buildOnTarget = builtins.any (t: t != "local" && t != "arm") tags;
+      inherit tags;
     };
   };
 
-  nodes = lib.genAttrs hostDirNames (hostname: mkNode hostname (utils.hostMeta ../hosts/${hostname}));
+  nodes = lib.genAttrs hostDirNames (
+    hostname: mkNode hostname (utils.hostMeta ../hosts/${hostname}).deployment.tags
+  );
+
 in
 inputs.colmena.lib.makeHive (
   {
     meta = {
-      nixpkgs = import inputs.nixpkgs {
+      nixpkgs = import inputs.nixpkgs { localSystem = "x86_64-linux"; };
-        localSystem = "x86_64-linux";
-      };
-
-      nodeNixpkgs = builtins.mapAttrs (_: v: v.pkgs) self.nixosConfigurations;
       specialArgs = {
         inherit inputs;
         outputs = self;

flake.lock

@@ -121,11 +121,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1776744173,
+        "lastModified": 1776657773,
-        "narHash": "sha256-9pZQWypgc0H1lgyuGmLqEL5IKVdHMw/NoO/iFcoSrW0=",
+        "narHash": "sha256-GgExKCDspgASVM6sRH0VcVyixQznxuR4tjiAA7MfKxs=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "a803876f3cfc65f8858d413cef2b7d10d50a81d7",
+        "rev": "986236cd6fad0979233ae5e73456a365f79ff198",
         "type": "gitlab"
       },
       "original": {
@@ -342,11 +342,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776777932,
+        "lastModified": 1776701552,
-        "narHash": "sha256-0R3Yow/NzSeVGUke5tL7CCkqmss4Vmi6BbV6idHzq/8=",
+        "narHash": "sha256-CCRzOEFg6JwCdZIR5dLD0ypah5/e2JQVuWQ/l3rYrPY=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "5d5640599a0050b994330328b9fd45709c909720",
+        "rev": "c81775b640d4507339d127f5adb4105f6015edf2",
         "type": "github"
       },
       "original": {
@@ -398,10 +398,10 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1776422417,
+        "lastModified": 1776716353,
-        "narHash": "sha256-9R4MePj/UT0tqkWEq4Afg7Lp/zdfYHkW+qmpVGchKIs=",
+        "narHash": "sha256-4gmunPEtk1oOK/77YP7M5N0rO9mSPYPrEZbELMKkZDE=",
         "ref": "main",
-        "rev": "75759a14e8d46421fca4306393a38b5ad5240f09",
+        "rev": "13b5d656e0bef196f40d1be8581a97569f7a7eb9",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/hektor/nix-secrets"
@@ -665,11 +665,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776771786,
+        "lastModified": 1776119890,
-        "narHash": "sha256-DRFGPfFV6hbrfO9a1PH1FkCi7qR5FgjSqsQGGvk1rdI=",
+        "narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "bef289e2248991f7afeb95965c82fbcd8ff72598",
+        "rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd",
         "type": "github"
       },
       "original": {

flake.nix

@@ -76,7 +76,7 @@
           nixpkgs.lib.nixosSystem {
             modules = [
               ./hosts/${host}
-              { nixpkgs.hostPlatform = (myUtils.hostMeta ./hosts/${host}).system; }
+              { nixpkgs.hostPlatform = import ./hosts/${host}/system.nix; }
             ];
             specialArgs = {
               inherit

home/hosts/andromache/default.nix

@@ -25,6 +25,7 @@
     ../../modules/nvim
     ../../modules/pandoc
     ../../modules/photography
+    ../../modules/secrets
     ../../modules/shell
     ../../modules/ssh
     ../../modules/taskwarrior

home/hosts/work/default.nix

@@ -5,6 +5,9 @@
   ...
 }:
 
+let
+  username = "hektor";
+in
 {
   imports = [
     inputs.sops-nix.homeManagerModules.sops
@@ -54,8 +57,8 @@
 
   home = {
     stateVersion = "25.05";
-    username = "hektor";
+    inherit username;
-    homeDirectory = "/home/${config.home.username}";
+    homeDirectory = "/home/${username}";
   };
 
   targets.genericLinux.nixGL = {

home/modules/anki/default.nix

@@ -13,10 +13,12 @@ let
   standalone = osConfig == null;
 in
 lib.optionalAttrs standalone {
-  sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "anki" [
+  sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
-    "sync-user"
+    anki = [
-    "sync-key"
+      "sync-user"
-  ] { };
+      "sync-key"
+    ];
+  };
 }
 // {
   warnings = lib.optional (

home/modules/dconf/default.nix

@@ -3,7 +3,6 @@
 let
   terminal = "kitty";
   browser = config.browser.primary;
-  font = "${config.stylix.fonts.monospace.name} ${toString config.stylix.fonts.sizes.applications}";
 in
 {
   dconf.settings = {
@@ -41,9 +40,9 @@ in
       clock-show-weekday = true;
       color-scheme = "prefer-dark";
       enable-hot-corners = false;
-      font-name = font;
+      font-name = "Iosevka Term SS08 12";
       locate-pointer = true;
-      monospace-font-name = font;
+      monospace-font-name = "Iosevka Term SS08 12";
     };
 
     "org/gnome/desktop/wm/keybindings" = {

home/modules/default.nix

@@ -6,32 +6,25 @@
 }:
 
 {
-  options = {
+  options.nixgl.wrap = lib.mkOption {
-    host.username = lib.mkOption {
+    type = lib.types.functionTo lib.types.package;
-      type = lib.types.str;
+    default = if config.lib ? nixGL then config.lib.nixGL.wrap else lib.id;
-      default = config.home.username;
+    readOnly = true;
-    };
+  };
 
-    nixgl.wrap = lib.mkOption {
+  options.wrapApp = lib.mkOption {
-      type = lib.types.functionTo lib.types.package;
+    type = lib.types.raw;
-      default = if config.lib ? nixGL then config.lib.nixGL.wrap else lib.id;
+    default =
-      readOnly = true;
+      pkg: flags:
-    };
+      if config.lib ? nixGL then
-
+        pkg.overrideAttrs (old: {
-    wrapApp = lib.mkOption {
+          nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ pkgs.makeWrapper ];
-      type = lib.types.raw;
+          postInstall = (old.postInstall or "") + ''
-      default =
+            wrapProgram $out/bin/${pkg.meta.mainProgram} --add-flags "${flags}"
-        pkg: flags:
+          '';
-        if config.lib ? nixGL then
+        })
-          pkg.overrideAttrs (old: {
+      else
-            nativeBuildInputs = (old.nativeBuildInputs or [ ]) ++ [ pkgs.makeWrapper ];
+        pkg;
-            postInstall = (old.postInstall or "") + ''
+    readOnly = true;
-              wrapProgram $out/bin/${pkg.meta.mainProgram} --add-flags "${flags}"
-            '';
-          })
-        else
-          pkg;
-      readOnly = true;
-    };
   };
 }

home/modules/ssh/default.nix

@@ -1,15 +1,18 @@
 {
-  myUtils,
+  outputs,
   lib,
   pkgs,
   ...
 }:
 let
-  hostDir = ../../hosts;
+  nixosConfigs = builtins.attrNames outputs.nixosConfigurations;
-  hostNames = myUtils.dirNames hostDir;
+  homeConfigs = map (n: lib.last (lib.splitString "@" n)) (
+    builtins.attrNames outputs.homeConfigurations
+  );
+  allHosts = lib.unique (homeConfigs ++ nixosConfigs);
   hostsWithKeys = lib.filter (
-    hostname: builtins.pathExists (hostDir + "/${hostname}/ssh_host.pub")
+    hostname: builtins.pathExists ../../hosts/${hostname}/ssh_host.pub
-  ) hostNames;
+  ) allHosts;
 in
 {
   home.packages = with pkgs; [ sshfs ];
@@ -22,14 +25,15 @@ in
       lib.genAttrs hostsWithKeys (
         hostname:
         let
-          meta = myUtils.hostMeta (hostDir + "/${hostname}");
+          hostConfig = outputs.nixosConfigurations.${hostname}.config;
+          inherit (hostConfig.ssh) publicHostname username;
         in
         {
           host = hostname;
-          user = meta.deployment.targetUser;
+          user = username;
         }
-        // lib.optionalAttrs (meta.deployment.targetHost != "") {
+        // lib.optionalAttrs (publicHostname != "") {
-          hostname = meta.deployment.targetHost;
+          hostname = publicHostname;
         }
       )
       // {

home/modules/stylix/default.nix

@@ -25,6 +25,21 @@ in
       sansSerif = config.stylix.fonts.monospace;
       emoji = config.stylix.fonts.monospace;
     };
-    targets = import ../../../modules/stylix/targets.nix;
+    targets = {
+      firefox = {
+        profileNames = [ "default" ];
+        colorTheme.enable = true;
+      };
+      librewolf = {
+        profileNames = [ "default" ];
+        colorTheme.enable = true;
+      };
+      gnome.enable = false;
+      gtk.enable = false;
+      kitty = {
+        variant256Colors = true;
+      };
+      nixvim.enable = false;
+    };
   };
 }

home/modules/taskwarrior/default.nix

@@ -15,11 +15,13 @@ let
 in
 lib.optionalAttrs standalone {
   sops = {
-    secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "taskwarrior" [
+    secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
-      "sync-server-url"
+      taskwarrior = [
-      "sync-server-client-id"
+        "sync-server-url"
-      "sync-encryption-secret"
+        "sync-server-client-id"
-    ] { };
+        "sync-encryption-secret"
+      ];
+    };
 
     templates."taskrc.d/sync" = {
       content = ''

hosts/andromache/default.nix

@@ -51,17 +51,32 @@ in
     ../../modules/yubikey
   ];
 
-  home-manager.users.${config.host.username} = import ../../home/hosts/andromache;
+  home-manager.users.${config.host.username} = import ../../home/hosts/andromache {
+    inherit
+      inputs
+      config
+      pkgs
+      lib
+      ;
+  };
 
+  ssh.username = config.host.username;
   ssh.authorizedHosts = [ "astyanax" ];
 
-  secrets.nixSigningKey.enable = true;
+  secrets = {
+    inherit (config.host) username;
+    nixSigningKey.enable = true;
+  };
 
+  restic-backup.enable = true;
   tailscale.enable = true;
 
-  docker.enable = true;
+  docker.user = config.host.username;
 
-  hcloud.enable = true;
+  hcloud = {
+    enable = true;
+    inherit (config.host) username;
+  };
 
   disko.devices = {
     disk.data = {
@@ -93,6 +108,7 @@ in
 
   my.yubikey = {
     enable = false;
+    inherit (config.host) username;
     keys = [
       {
         handle = "<KeyHandle1>";

hosts/andromache/meta.nix

@@ -1,9 +1,4 @@
 {
-  system = "x86_64-linux";
+  deployment.tags = [ "local" ];
-  deployment = {
-    tags = [ "local" ];
-    targetHost = "";
-    targetUser = "h";
-  };
   role = "desktop";
 }

hosts/andromache/system.nix

@@ -0,0 +1 @@
+"x86_64-linux"

hosts/astyanax/default.nix

@@ -47,15 +47,27 @@ in
     ../../modules/yubikey
   ];
 
-  home-manager.users.${config.host.username} = import ../../home/hosts/astyanax;
+  home-manager.users.${config.host.username} = import ../../home/hosts/astyanax {
+    inherit
+      inputs
+      config
+      pkgs
+      lib
+      ;
+  };
 
+  ssh.username = config.host.username;
   ssh.authorizedHosts = [ "andromache" ];
 
-  secrets.nixSigningKey.enable = true;
+  secrets = {
+    inherit (config.host) username;
+    nixSigningKey.enable = true;
+  };
 
+  restic-backup.enable = true;
   tailscale.enable = true;
-  docker.enable = true;
+  docker.user = config.host.username;
-  nfc.enable = true;
+  nfc.user = config.host.username;
   desktop.ly.enable = true;
   audio.automation.enable = true;
 

hosts/astyanax/meta.nix

@@ -1,9 +1,4 @@
 {
-  system = "x86_64-linux";
+  deployment.tags = [ "local" ];
-  deployment = {
-    tags = [ "local" ];
-    targetHost = "";
-    targetUser = "h";
-  };
   role = "laptop";
 }

hosts/astyanax/system.nix

@@ -0,0 +1 @@
+"x86_64-linux"

hosts/eetion-02/default.nix

@@ -12,6 +12,8 @@
   ];
 
   ssh = {
+    inherit (config.host) username;
+    publicHostname = config.host.name;
     authorizedHosts = [
       "andromache"
       "astyanax"

hosts/eetion-02/meta.nix

@@ -1,9 +1,4 @@
 {
-  system = "aarch64-linux";
+  deployment.tags = [ "arm" ];
-  deployment = {
-    tags = [ "arm" ];
-    targetHost = "eetion-02";
-    targetUser = "h";
-  };
   role = "embedded";
 }

hosts/eetion-02/system.nix

@@ -0,0 +1 @@
+"aarch64-linux"

hosts/eetion/default.nix

@@ -9,10 +9,15 @@
     ./host.nix
     ../../modules/common
     ../../modules/ssh
+    ../../modules/tailscale
     # ../../modules/uptime-kuma
   ];
 
+  tailscale.enable = true;
+
   ssh = {
+    inherit (config.host) username;
+    publicHostname = config.host.name;
     authorizedHosts = [
       "andromache"
       "astyanax"

hosts/eetion/meta.nix

@@ -1,9 +1,4 @@
 {
-  system = "aarch64-linux";
+  deployment.tags = [ "arm" ];
-  deployment = {
-    tags = [ "arm" ];
-    targetHost = "eetion";
-    targetUser = "h";
-  };
   role = "embedded";
 }

hosts/eetion/system.nix

@@ -0,0 +1 @@
+"aarch64-linux"

hosts/hecuba/default.nix

@@ -19,13 +19,15 @@
 
   networking.hostName = config.host.name;
   ssh = {
+    inherit (config.host) username;
+    publicHostname = "server.hektormisplon.xyz";
     authorizedHosts = [
       "andromache"
       "astyanax"
     ];
   };
 
-  docker.enable = true;
+  docker.user = config.host.username;
 
   fileSystems."/" = {
     device = "/dev/disk/by-label/nixos";

hosts/hecuba/meta.nix

@@ -1,9 +1,4 @@
 {
-  system = "x86_64-linux";
+  deployment.tags = [ "cloud" ];
-  deployment = {
-    tags = [ "cloud" ];
-    targetHost = "server.hektormisplon.xyz";
-    targetUser = "username";
-  };
   role = "server";
 }

hosts/hecuba/system.nix

@@ -0,0 +1 @@
+"x86_64-linux"

hosts/vm/default.nix

@@ -1,6 +1,7 @@
 {
   inputs,
   config,
+  pkgs,
   ...
 }:
 {
@@ -28,7 +29,13 @@
     ../../modules/x
   ];
 
-  home-manager.users.${config.host.username} = import ../../home/hosts/vm;
+  home-manager.users.${config.host.username} = import ../../home/hosts/vm {
+    inherit inputs config pkgs;
+  };
+
+  ssh.username = config.host.username;
+
+  secrets.username = config.host.username;
 
   disko = {
     devices.disk.main = {

hosts/vm/meta.nix

@@ -1,9 +1,4 @@
 {
-  system = "x86_64-linux";
+  deployment.tags = [ "local" ];
-  deployment = {
-    tags = [ "local" ];
-    targetHost = "";
-    targetUser = "h";
-  };
   role = "vm";
 }

hosts/vm/system.nix

@@ -0,0 +1 @@
+"x86_64-linux"

images/sd-image-orange-pi-aarch64.nix

@@ -12,15 +12,10 @@ let
 in
 {
   imports = [
-    ../modules/common/host.nix
     ../modules/ssh
   ];
 
-  host = {
+  ssh.username = username;
-    inherit username;
-    name = "orange-pi";
-  };
-
   ssh.authorizedHosts = [
     "andromache"
     "astyanax"

images/sd-image-raspberry-pi-aarch64.nix

@@ -12,15 +12,10 @@ let
 in
 {
   imports = [
-    ../modules/common/host.nix
     ../modules/ssh
   ];
 
-  host = {
+  ssh.username = username;
-    inherit username;
-    name = "raspberry-pi";
-  };
-
   ssh.authorizedHosts = [
     "andromache"
     "astyanax"

modules/ai-tools/default.nix

@@ -1,15 +1,13 @@
-{ config, myUtils, ... }:
+{ config, ... }:
 
 let
-  inherit (config.secrets) sopsDir;
+  inherit (config.secrets) username owner;
-  inherit (config.host) username;
-  owner = config.users.users.${username}.name;
 in
 {
-  config.sops = {
+  config = {
-    secrets = myUtils.mkSopsSecrets sopsDir "opencode" [ "api-key" ] { inherit owner; };
+    secrets.groups.opencode = [ "api-key" ];
 
-    templates."opencode/auth.json" = {
+    sops.templates."opencode/auth.json" = {
       inherit owner;
       path = "/home/${username}/.local/share/opencode/auth.json";
       content = ''

modules/anki/default.nix

@@ -1,12 +1,6 @@
-{ config, myUtils, ... }:
-
-let
-  inherit (config.secrets) sopsDir;
-  inherit (config.host) username;
-  owner = config.users.users.${username}.name;
-in
 {
-  config.sops = {
+  config.secrets.groups.anki = [
-    secrets = myUtils.mkSopsSecrets sopsDir "anki" [ "sync-user" "sync-key" ] { inherit owner; };
+    "sync-user"
-  };
+    "sync-key"
+  ];
 }

modules/backups/default.nix

@@ -1,57 +1,53 @@
 {
   lib,
   config,
-  myUtils,
   ...
 }:
 
 let
   cfg = config.restic-backup;
-  inherit (config.secrets) sopsDir;
+  host = config.networking.hostName;
 in
 {
-  options = {
+  options.restic-backup = {
-    restic-backup = {
+    enable = lib.mkEnableOption "restic backups";
-      repository = lib.mkOption {
-        type = lib.types.str;
-        default = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${config.networking.hostName}";
-      };
 
-      passwordFile = lib.mkOption {
+    passwordFile = lib.mkOption {
-        type = lib.types.str;
+      type = lib.types.str;
-        default = config.sops.secrets."restic/password".path;
+      default = config.sops.secrets."restic/password".path;
-      };
+    };
 
-      paths = lib.mkOption {
+    paths = lib.mkOption {
-        type = lib.types.listOf lib.types.str;
+      type = lib.types.listOf lib.types.str;
-        default = [ "/home" ];
+      default = [ "/home" ];
-      };
     };
   };
 
-  config = {
+  config = lib.mkIf cfg.enable {
-    sops = {
+    secrets.groups = {
-      secrets = lib.mkMerge [
+      restic = [ "password" ];
-        (myUtils.mkSopsSecrets sopsDir "restic" [ "password" ] { })
+      backblaze-b2 = [
-        (myUtils.mkSopsSecrets sopsDir "backblaze-b2" [ "bucket-name" "account-id" "account-key" ] { })
+        "bucket-name"
+        "account-id"
+        "account-key"
       ];
-      templates = {
+    };
-        "restic/repo-${config.networking.hostName}" = {
+
-          content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${config.networking.hostName}";
+    sops.templates = {
-        };
+      "restic/repo-${host}" = {
-        "restic/b2-env-${config.networking.hostName}" = {
+        content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${host}";
-          content = ''
+      };
-            B2_ACCOUNT_ID=${config.sops.placeholder."backblaze-b2/account-id"}
+      "restic/b2-env-${host}" = {
-            B2_ACCOUNT_KEY=${config.sops.placeholder."backblaze-b2/account-key"}
+        content = ''
-          '';
+          B2_ACCOUNT_ID=${config.sops.placeholder."backblaze-b2/account-id"}
-        };
+          B2_ACCOUNT_KEY=${config.sops.placeholder."backblaze-b2/account-key"}
+        '';
       };
     };
 
     services.restic.backups.home = {
-      repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path;
+      repositoryFile = config.sops.templates."restic/repo-${host}".path;
-      inherit (cfg) passwordFile;
+      inherit (cfg) passwordFile paths;
-      inherit (cfg) paths;
       timerConfig = {
         OnCalendar = "daily";
         Persistent = true;
@@ -64,7 +60,7 @@ in
         "--keep-monthly 6"
         "--keep-yearly 1"
       ];
-      environmentFile = config.sops.templates."restic/b2-env-${config.networking.hostName}".path;
+      environmentFile = config.sops.templates."restic/b2-env-${host}".path;
     };
   };
 }

modules/common/default.nix

@@ -73,11 +73,6 @@ in
           myUtils
           ;
       };
-      sharedModules = [
-        {
-          host.username = lib.mkDefault config.host.username;
-        }
-      ];
     };
   };
 }

modules/docker/default.nix

@@ -2,17 +2,29 @@
 
 let
   cfg = config.docker;
-  inherit (config.host) username;
 in
 {
   options.docker = {
-    enable = lib.mkEnableOption "docker";
     rootless = lib.mkOption {
       type = lib.types.bool;
       default = false;
     };
+    user = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+    };
   };
   config = lib.mkMerge [
+    {
+      warnings = lib.flatten [
+        (lib.optional (
+          cfg.rootless && cfg.user != null
+        ) "'virtualisation.docker.user' is ignored when rootless mode is enabled")
+        (lib.optional (
+          !cfg.rootless && cfg.user == null
+        ) "'virtualisation.docker.user' is not set (no user is added to the docker group)")
+      ];
+    }
     (lib.mkIf cfg.rootless {
       virtualisation.docker = {
         enable = false;
@@ -22,9 +34,11 @@ in
         };
       };
     })
-    (lib.mkIf (cfg.enable && !cfg.rootless) {
+    (lib.mkIf (!cfg.rootless && cfg.user != null) {
-      virtualisation.docker.enable = true;
+      virtualisation.docker = {
-      users.users.${username}.extraGroups = [ "docker" ];
+        enable = true;
+      };
+      users.users.${cfg.user}.extraGroups = [ "docker" ];
     })
   ];
 }

modules/git/default.nix

@@ -4,7 +4,7 @@
 }:
 
 let
-  inherit (config.host) username;
+  inherit (config.secrets) username;
   owner = config.users.users.${username}.name;
 in
 {

modules/hcloud/default.nix

@@ -1,28 +1,28 @@
 {
   lib,
   config,
-  myUtils,
   ...
 }:
 
 let
   cfg = config.hcloud;
-  inherit (config.host) username;
+  inherit (config.secrets) owner;
-  inherit (config.secrets) sopsDir;
 in
 {
   options.hcloud = {
     enable = lib.mkEnableOption "hcloud CLI configuration";
+    username = lib.mkOption {
+      type = lib.types.str;
+      description = "username for hcloud CLI configuration";
+    };
   };
 
   config = lib.mkIf cfg.enable {
-    sops.secrets = myUtils.mkSopsSecrets sopsDir "hcloud" [ "api-token" ] {
+    secrets.groups.hcloud = [ "api-token" ];
-      owner = config.users.users.${username}.name;
-    };
 
     sops.templates."hcloud/cli.toml" = {
-      owner = config.users.users.${username}.name;
+      inherit owner;
-      path = "/home/${username}/.config/hcloud/cli.toml";
+      path = "/home/${cfg.username}/.config/hcloud/cli.toml";
       content = ''
         active_context = "server"
 

modules/nfc/default.nix

@@ -2,13 +2,15 @@
 
 let
   cfg = config.nfc;
-  inherit (config.host) username;
 in
 {
   options.nfc = {
-    enable = lib.mkEnableOption "NFC device access";
+    user = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+    };
   };
-  config = lib.mkIf cfg.enable {
+  config = lib.mkIf (cfg.user != null) {
-    users.users.${username}.extraGroups = [ "dialout" ];
+    users.users.${cfg.user}.extraGroups = [ "dialout" ];
   };
 }

modules/secrets/default.nix

@@ -9,53 +9,64 @@
 
 let
   cfg = config.secrets;
-  inherit (config.host) username;
   inherit (cfg) sopsDir;
-  owner = config.users.users.${username}.name;
+  owner = config.users.users.${cfg.username}.name;
-  mkSopsSecrets = myUtils.mkSopsSecrets sopsDir;
 in
 {
   imports = [ inputs.sops-nix.nixosModules.sops ];
 
-  options = {
+  options.secrets = {
-    secrets = {
+    username = lib.mkOption {
-      sopsDir = lib.mkOption {
+      type = lib.types.str;
-        type = lib.types.str;
+    };
-        default = "${toString inputs.nix-secrets}/secrets";
-      };
 
-      nixSigningKey = {
+    sopsDir = lib.mkOption {
-        enable = lib.mkEnableOption "nix signing key configuration";
+      type = lib.types.str;
-      };
+      default = "${toString inputs.nix-secrets}/secrets";
+    };
 
-      yubikey = {
+    groups = lib.mkOption {
-        enable = lib.mkEnableOption "set up Yubikey";
+      type = lib.types.attrsOf (lib.types.listOf lib.types.str);
-      };
+      default = { };
+      description = "Declarative secret groups: { group = [ key names ]; }";
+    };
+
+    owner = lib.mkOption {
+      type = lib.types.unspecified;
+    };
+
+    nixSigningKey = {
+      enable = lib.mkEnableOption "nix signing key configuration";
+    };
+
+    yubikey = {
+      enable = lib.mkEnableOption "set up Yubikey";
     };
   };
 
   config = {
+    secrets = {
+      inherit owner;
+      groups = {
+        email = [
+          "personal"
+          "work"
+        ];
+        nix = lib.optional cfg.nixSigningKey.enable "signing-key";
+      };
+    };
+
     sops = {
       # for yubikey, generate as follows:
       # ```
       # age-plugin-yubikey --identity > <keyfile-path>
       # ```
-      age.keyFile = "/home/${username}/.config/sops/age/keys.txt";
+      age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt";
-
+      secrets = myUtils.mkSopsSecrets sopsDir owner cfg.groups;
-      secrets = lib.mkMerge [
-        (mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; })
-        (lib.mkIf cfg.nixSigningKey.enable {
-          nix-signing-key = {
-            sopsFile = "${sopsDir}/nix.yaml";
-            key = "signing-key";
-            inherit owner;
-          };
-        })
-      ];
     };
 
     nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [
-      config.sops.secrets.nix-signing-key.path
+      config.sops.secrets."nix/signing-key".path
     ];
 
     services = {

modules/ssh/authorized-keys.nix

@@ -1,18 +1,22 @@
 { lib, config, ... }:
-
-let
-  inherit (config.host) username;
-in
 {
   options.ssh = {
     authorizedHosts = lib.mkOption {
       type = lib.types.listOf lib.types.str;
       default = [ ];
     };
+    username = lib.mkOption {
+      type = lib.types.str;
+      default = "h";
+    };
+    publicHostname = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+    };
   };
 
   # auto generate authorized_keys from `authorizedHosts`
-  config.users.users.${username}.openssh.authorizedKeys.keys = lib.flatten (
+  config.users.users.${config.ssh.username}.openssh.authorizedKeys.keys = lib.flatten (
     map (
       hostname:
       let

modules/ssh/extract-keys.nix

@@ -1,6 +1,6 @@
 { lib, config, ... }:
 let
-  inherit (config.host) username;
+  inherit (config.ssh) username;
 in
 {
   # auto extract SSH keys

modules/stylix/default.nix

@@ -30,7 +30,20 @@ in
 
   home-manager.sharedModules = [
     {
-      stylix.targets = import ./targets.nix;
+      stylix.targets = {
+        firefox = {
+          profileNames = [ "default" ];
+          colorTheme.enable = true;
+        };
+        librewolf = {
+          profileNames = [ "default" ];
+          colorTheme.enable = true;
+        };
+        kitty.variant256Colors = true;
+        gnome.enable = false;
+        gtk.enable = false;
+        nixvim.enable = false;
+      };
     }
   ];
 }

modules/stylix/targets.nix

@@ -1,14 +0,0 @@
-{
-  firefox = {
-    profileNames = [ "default" ];
-    colorTheme.enable = true;
-  };
-  librewolf = {
-    profileNames = [ "default" ];
-    colorTheme.enable = true;
-  };
-  kitty.variant256Colors = true;
-  gnome.enable = false;
-  gtk.enable = false;
-  nixvim.enable = false;
-}

modules/syncthing/default.nix

@@ -7,18 +7,23 @@
 with lib;
 
 let
-  inherit (config.host) username;
+  cfg = config.my.syncthing;
 in
 {
+  options.my.syncthing.username = mkOption {
+    type = types.str;
+    default = "h";
+  };
+
   config = {
-    users.groups.${username} = { };
+    users.groups.${cfg.username} = { };
-    users.users.${username}.extraGroups = [ username ];
+    users.users.${cfg.username}.extraGroups = [ cfg.username ];
 
     services.syncthing = {
       enable = true;
-      user = username;
+      user = cfg.username;
-      group = username;
+      group = cfg.username;
-      configDir = "/home/${username}/.local/state/syncthing";
+      configDir = "/home/${cfg.username}/.local/state/syncthing";
       openDefaultPorts = true;
     };
   };

modules/taskwarrior/default.nix

@@ -1,19 +1,17 @@
-{ config, myUtils, ... }:
+{ config, ... }:
 
 let
-  inherit (config.secrets) sopsDir;
+  inherit (config.secrets) owner;
-  inherit (config.host) username;
-  owner = config.users.users.${username}.name;
 in
 {
-  config.sops = {
+  config = {
-    secrets = myUtils.mkSopsSecrets sopsDir "taskwarrior" [
+    secrets.groups.taskwarrior = [
       "sync-server-url"
       "sync-server-client-id"
       "sync-encryption-secret"
-    ] { inherit owner; };
+    ];
 
-    templates."taskrc.d/sync" = {
+    sops.templates."taskrc.d/sync" = {
       inherit owner;
       content = ''
         sync.server.url=${config.sops.placeholder."taskwarrior/sync-server-url"}

modules/yubikey/default.nix

@@ -9,14 +9,18 @@ with lib;
 
 let
   cfg = config.my.yubikey;
-  inherit (config.host) username;
   formatKey = key: ":${key.handle},${key.userKey},${key.coseType},${key.options}";
-  authfileContent = u: keys: u + lib.concatMapStrings formatKey keys;
+  authfileContent = username: keys: username + lib.concatMapStrings formatKey keys;
 in
 {
   options.my.yubikey = {
     enable = mkEnableOption "yubiKey U2F authentication";
 
+    username = mkOption {
+      type = types.str;
+      default = "h";
+    };
+
     origin = mkOption {
       type = types.str;
       default = "pam://yubi";
@@ -57,7 +61,7 @@ in
           interactive = true;
           cue = true;
           inherit (cfg) origin;
-          authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.keys);
+          authfile = pkgs.writeText "u2f-mappings" (authfileContent cfg.username cfg.keys);
         };
       };
       services = {

utils/default.nix

@@ -1,41 +1,12 @@
 { lib }:
 
+let
+  hosts = import ./hosts.nix;
+  secrets = import ./secrets.nix { inherit lib; };
+in
 {
   dirNames =
     path: builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir path));
-
-  hostMeta =
-    hostDir:
-    if builtins.pathExists (hostDir + "/meta.nix") then
-      import (hostDir + "/meta.nix")
-    else
-      throw "meta.nix required in ${hostDir}";
-
-  mkSopsSecrets =
-    sopsDir: group: names: extraOpts:
-    let
-      file = "${group}.yaml";
-    in
-    lib.foldl' lib.mergeAttrs { } (
-      map (name: {
-        "${group}/${name}" = {
-          sopsFile = "${sopsDir}/${file}";
-          key = name;
-        }
-        // extraOpts;
-      }) names
-    );
-
-  sopsAvailability =
-    config: osConfig:
-    let
-      osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? secrets;
-      hmSopsAvailable = config ? sops && config.sops ? secrets;
-      preferOs = osSopsAvailable;
-    in
-    {
-      available = osSopsAvailable || hmSopsAvailable;
-      secrets = if preferOs then osConfig.sops.secrets else config.sops.secrets;
-      templates = if preferOs then osConfig.sops.templates else config.sops.templates;
-    };
 }
+// hosts
+// secrets

utils/hosts.nix

@@ -0,0 +1,8 @@
+{
+  hostMeta =
+    hostDir:
+    if builtins.pathExists (hostDir + "/meta.nix") then
+      import (hostDir + "/meta.nix")
+    else
+      throw "meta.nix required in ${hostDir}";
+}

utils/secrets.nix

@@ -0,0 +1,37 @@
+{ lib }:
+
+{
+  mkSopsSecrets =
+    sopsDir: owner: groups:
+    let
+      opts = lib.optionalAttrs (owner != null) { inherit owner; };
+      mkGroup =
+        group: names:
+        let
+          file = "${group}.yaml";
+        in
+        lib.foldl' lib.mergeAttrs { } (
+          map (name: {
+            "${group}/${name}" = {
+              sopsFile = "${sopsDir}/${file}";
+              key = name;
+            }
+            // opts;
+          }) names
+        );
+    in
+    lib.foldl' lib.mergeAttrs { } (lib.mapAttrsToList mkGroup groups);
+
+  sopsAvailability =
+    config: osConfig:
+    let
+      osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? secrets;
+      hmSopsAvailable = config ? sops && config.sops ? secrets;
+      preferOs = osSopsAvailable;
+    in
+    {
+      available = osSopsAvailable || hmSopsAvailable;
+      secrets = if preferOs then osConfig.sops.secrets else config.sops.secrets;
+      templates = if preferOs then osConfig.sops.templates else config.sops.templates;
+    };
+}