refactor: modularize 'nvim' for home manager hosts

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

.gitignore

@@ -1,8 +1,10 @@
+#
+.claude/
+home/hosts/work/packages.local.nix
+
 # ---> Nix
 # Ignore build outputs from performing a nix-build or `nix build` command
 result
 result-*
 
 nixos-efi-vars.fd
-
-home/hosts/work/packages.local.nix

dots/.bin/pomo

@@ -8,19 +8,24 @@ Pomodoro timer
 - Notification on break finish
 """
 
-import os
 import atexit
+import os
 from argparse import ArgumentParser
 from time import sleep
+
 from plyer import notification
 
-POMO_PATH = os.path.join(os.getenv("XDG_DATA_HOME", os.path.expanduser("~/.local/share")), "pomo")
+POMO_PATH = os.path.join(
+    os.getenv("XDG_DATA_HOME", os.path.expanduser("~/.local/share")), "pomo"
+)
+
 
 @atexit.register
 def clear():
     if os.path.exists(POMO_PATH):
         os.remove(POMO_PATH)
 
+
 def format_mins_secs(mins, secs):
     return f"{mins:02d}:{secs:02d}"
 
@@ -34,6 +39,7 @@ def make_countdown():
             os.system(f'echo -n "{time_str}" > {POMO_PATH}')
             sleep(1)
             duration -= 1
+
     return countdown
 
 
@@ -58,21 +64,23 @@ def main(args):
 def handle_signal(signal, frame):
     # Wait for clear to finish
     clear()
-    print('Exiting')
+    print("Exiting")
     exit(0)
 
 
-if __name__ == '__main__':
+if __name__ == "__main__":
 
     parser = ArgumentParser()
-    parser.add_argument('-w', '--work-duration', type=int,
-                        help='Session duration', default=25)
-    parser.add_argument('-b', '--break-duration', type=int,
-                        help='Break duration', default=5)
-    parser.add_argument('-r', '--repeats', type=int,
-                        help='Numer of sessions', default=1)
-    parser.add_argument('-c', '--clear', action='store_true',
-                        help='Clear timer')
+    parser.add_argument(
+        "-w", "--work-duration", type=int, help="Session duration", default=25
+    )
+    parser.add_argument(
+        "-b", "--break-duration", type=int, help="Break duration", default=5
+    )
+    parser.add_argument(
+        "-r", "--repeats", type=int, help="Numer of sessions", default=1
+    )
+    parser.add_argument("-c", "--clear", action="store_true", help="Clear timer")
 
     args = parser.parse_args()
 

dots/.bin/r5rs

@@ -2,8 +2,8 @@
 
 session="r5rs"
 
-tmux attach-session -t $session || tmux new-session -s $session \; \
+tmux attach-session -t "$session" || tmux new-session -s "$session" \; \
   split-window -h -t $session \; \
-  send-keys -t 0 "vim" C-m \; \
-  send-keys -t 1 "plt-r5rs --no-prim" C-m \; \
-  select-pane -t 0
+  send-keys -t 1 "nvim -c \"set ft=scheme\"" C-m \; \
+  send-keys -t 2 "plt-r5rs --no-prim" C-m \; \
+  select-pane -t 1

dots/.bin/save-home

@@ -22,4 +22,5 @@ restic -r "$RESTIC_REPOSITORY:$HOSTNAME" backup \
   --one-file-system \
   --files-from="$HOME/.resticinclude" \
   --exclude-file="$HOME/.resticexclude" \
+  --exclude-if-present=".nobackup" \
   --verbose=3

dots/.bin/screen-temperature

@@ -1,12 +1,12 @@
 #!/usr/bin/env python
 
-import sys
 import subprocess
+import sys
 
 DEFAULT_TEMPERATURE = 3500
 
 try:
-    with open('/tmp/temperature', 'r') as temp_file:
+    with open("/tmp/temperature", "r") as temp_file:
         current_temperature = int(temp_file.read())
 except FileNotFoundError:
     current_temperature = DEFAULT_TEMPERATURE
@@ -16,7 +16,8 @@ if len(sys.argv) == 1:
     print(current_temperature)
     sys.exit(0)
 elif len(sys.argv) != 2:
-    print("""
+    print(
+        """
 Usage:
 
   screen-temperature
@@ -27,7 +28,8 @@ Usage:
 
   screen-temperature <+|-><temperature>
       increase or decrease screen temperature by <temperature>
-""")
+"""
+    )
     sys.exit(1)
 
 temperature_change = sys.argv[1]
@@ -41,11 +43,10 @@ else:
 
 try:
     subprocess.run(["redshift", "-O", str(new_temperature), "-P"], check=True)
-    with open('/tmp/temperature', 'w') as temp_file:
-        temp_file.write(str(new_temperature) + '\n')
+    with open("/tmp/temperature", "w") as temp_file:
+        temp_file.write(str(new_temperature) + "\n")
     # Send notification
-    subprocess.run(
-        ["notify-send", str(new_temperature) + "K"])
+    subprocess.run(["notify-send", str(new_temperature) + "K"])
 except subprocess.CalledProcessError:
     print("Error: could not set screen temperature.")
     sys.exit(1)

dots/.bin/zk

@@ -1,7 +1,9 @@
 #!/usr/bin/env bash
 
+current_zettel_path="$ZK_PATH/$(cat "$ZK_PATH/current-zettel.txt")"
+
 if [ "$TERM_PROGRAM" = tmux ]; then
-  cd ~/.zk && $EDITOR "$(cat ~/.zk/current-zettel.txt)"
+  cd "$ZK_PATH" && $EDITOR "$current_zettel_path"
 else
   echo 'Not in tmux'
   echo 'Choose an option:'
@@ -18,12 +20,12 @@ else
       else
         # Create session with a window named 'zk' and start nvim
         tmux new-session -s zk -n zk -d
-        tmux send-keys -t zk:zk "cd ~/.zk && $EDITOR \"\$(cat ~/.zk/current-zettel.txt)\"" Enter
+        tmux send-keys -t zk:zk "cd $ZK_PATH && $EDITOR $current_zettel_path" Enter
         tmux attach -t zk
       fi
       ;;
     2)
-      cd ~/.zk && $EDITOR "$(cat ~/.zk/current-zettel.txt)"
+      cd "$ZK_PATH" && $EDITOR "$current_zettel_path"
       ;;
     *)
       echo 'Not opening Zettelkasten'

dots/.config/kitty/kitty.conf

@@ -56,7 +56,7 @@ hide_window_decorations yes
 
 #: Tab bar {{{
 
-tab_bar_edge top
+tab_bar_edge bottom
 tab_bar_style powerline
 tab_bar_min_tabs 1
 tab_powerline_style slanted
@@ -136,7 +136,7 @@ map f5 goto_tab 5
 map f6 goto_tab 6
 map f7 goto_tab 7
 map f8 goto_tab 8
-map kitty_mod+c new_tab
+# map kitty_mod+c new_tab # FIXME: conflict with 'copy'
 map cmd+t
 map kitty_mod+q
 map cmd+w

dots/.config/nvim/after/plugin/claude-code.nvim.lua

@@ -0,0 +1,61 @@
+require("claude-code").setup({
+  -- Terminal window settings
+  window = {
+    split_ratio = 0.3, -- Percentage of screen for the terminal window (height for horizontal, width for vertical splits)
+    position = "vertical", -- Position of the window: "botright", "topleft", "vertical", "float", etc.
+    enter_insert = true, -- Whether to enter insert mode when opening Claude Code
+    hide_numbers = true, -- Hide line numbers in the terminal window
+    hide_signcolumn = true, -- Hide the sign column in the terminal window
+
+    -- Floating window configuration (only applies when position = "float")
+    float = {
+      width = "80%", -- Width: number of columns or percentage string
+      height = "80%", -- Height: number of rows or percentage string
+      row = "center", -- Row position: number, "center", or percentage string
+      col = "center", -- Column position: number, "center", or percentage string
+      relative = "editor", -- Relative to: "editor" or "cursor"
+      border = "rounded", -- Border style: "none", "single", "double", "rounded", "solid", "shadow"
+    },
+  },
+  -- File refresh settings
+  refresh = {
+    enable = true, -- Enable file change detection
+    updatetime = 100, -- updatetime when Claude Code is active (milliseconds)
+    timer_interval = 1000, -- How often to check for file changes (milliseconds)
+    show_notifications = true, -- Show notification when files are reloaded
+  },
+  -- Git project settings
+  git = {
+    use_git_root = true, -- Set CWD to git root when opening Claude Code (if in git project)
+  },
+  -- Shell-specific settings
+  shell = {
+    separator = "&&", -- Command separator used in shell commands
+    pushd_cmd = "pushd", -- Command to push directory onto stack (e.g., 'pushd' for bash/zsh, 'enter' for nushell)
+    popd_cmd = "popd", -- Command to pop directory from stack (e.g., 'popd' for bash/zsh, 'exit' for nushell)
+  },
+  -- Command settings
+  command = "claude", -- Command used to launch Claude Code
+  -- Command variants
+  command_variants = {
+    -- Conversation management
+    continue = "--continue", -- Resume the most recent conversation
+    resume = "--resume", -- Display an interactive conversation picker
+
+    -- Output options
+    verbose = "--verbose", -- Enable verbose logging with full turn-by-turn output
+  },
+  -- Keymaps
+  keymaps = {
+    toggle = {
+      normal = "<C-,>", -- Normal mode keymap for toggling Claude Code, false to disable
+      terminal = "<C-,>", -- Terminal mode keymap for toggling Claude Code, false to disable
+      variants = {
+        continue = "<leader>cC", -- Normal mode keymap for Claude Code with continue flag
+        verbose = "<leader>cV", -- Normal mode keymap for Claude Code with verbose flag
+      },
+    },
+    window_navigation = true, -- Enable window navigation keymaps (<C-h/j/k/l>)
+    scrolling = true, -- Enable scrolling keymaps (<C-f/b>) for page up/down
+  },
+})

dots/.config/nvim/after/plugin/codecompanion.nvim.lua

@@ -1,16 +1,22 @@
 require("codecompanion").setup({
-  extensions = {
-    mcphub = {
-      callback = "mcphub.extensions.codecompanion",
-      opts = {
-        make_vars = true,
-        make_slash_commands = true,
-        show_result_in_chat = true
-      }
-    }
-  },
+  ignore_warnings = true,
   strategies = {
     chat = { adapter = "openai" },
     inline = { adapter = "openai" },
   },
 })
+
+-- Load mcphub extension after codecompanion is initialized
+-- and ensure the config structure exists
+local ok, cc_config = pcall(require, "codecompanion.config")
+if ok then
+  cc_config.interactions = cc_config.interactions or {}
+  cc_config.interactions.chat = cc_config.interactions.chat or {}
+  cc_config.interactions.chat.tools = cc_config.interactions.chat.tools or {}
+
+  require("mcphub.extensions.codecompanion").setup({
+    make_vars = true,
+    make_slash_commands = true,
+    show_result_in_chat = true,
+  })
+end

dots/.config/nvim/after/plugin/conform.lua

@@ -13,14 +13,15 @@ require("conform").setup({
     gdscript = { "gdformat" },
     haskell = { "ormolu" },
     html = { "prettierd", "prettier", stop_after_first = true },
-    lua = { "stylua" }, -- configured in stylua.toml
-    markdown = { "prettierd", "prettier", stop_after_first = true },
-    nix = { "nixfmt" },
     javascript = { "eslint_d", "eslint", "prettierd", "prettier", stop_after_first = true },
     javascriptreact = { "eslint_d", "eslint", "prettierd", "prettier", stop_after_first = true },
     json = { "prettierd", "prettier", stop_after_first = true },
     jsonc = { "prettierd", "prettier", stop_after_first = true },
+    lua = { "stylua" }, -- configured in stylua.toml
+    markdown = { "prettierd", "prettier", stop_after_first = true },
+    nix = { "nixfmt" },
     python = { "isort", "black" },
+    rust = { "rustfmt", lsp_fallback = "fallback" },
     svelte = { "eslint_d", "prettierd", "prettier", stop_after_first = true },
     typescript = { "eslint_d", "prettierd", "prettier", stop_after_first = true },
     typescriptreact = { "eslint_d", "eslint", "prettierd", "prettier", stop_after_first = true },

dots/.config/nvim/after/plugin/fidget.nvim.lua

@@ -0,0 +1 @@
+require("fidget").setup()

dots/.config/nvim/after/plugin/m_taskwarrior_d.nvim.lua

@@ -0,0 +1,9 @@
+require("m_taskwarrior_d").setup()
+
+vim.api.nvim_create_autocmd({ "BufEnter", "BufWritePost" }, {
+  group = vim.api.nvim_create_augroup("TWTask", { clear = true }),
+  pattern = "*.md",
+  callback = function()
+    vim.cmd("TWSyncTasks")
+  end,
+})

dots/.config/nvim/after/plugin/treesitter.lua

@@ -2,12 +2,15 @@ local ts = require("treesj")
 local vim = vim
 local keymap = vim.keymap
 local opt = vim.opt
-local treesitter_configs = require("nvim-treesitter.configs")
+local treesitter = require("nvim-treesitter")
 
-treesitter_configs.setup({
+local nixCatsUtils = require("nixCatsUtils")
+local is_nix = nixCatsUtils.isNixCats
+
+treesitter.setup({
   -- Basically added what I might need from the docs
   -- <https://github.com/nvim-treesitter/nvim-treesitter?tab=readme-ov-file#supported-languages>
-  ensure_installed = {
+  ensure_installed = is_nix and {} or {
     "awk",
     "bash",
     "bibtex",
@@ -86,7 +89,7 @@ treesitter_configs.setup({
     enable = true,
   },
   sync_install = false,
-  auto_install = true,
+  auto_install = not is_nix,
   ignore_install = {},
   modules = {},
   textobjects = {

dots/.config/nvim/flake.lock

@@ -1,12 +1,52 @@
 {
   "nodes": {
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "mcp-hub",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1743550720,
+        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
+    "mcp-hub": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1755841689,
+        "narHash": "sha256-KakvXZf0vjdqzyT+LsAKHEr4GLICGXPmxl1hZ3tI7Yg=",
+        "owner": "ravitemer",
+        "repo": "mcp-hub",
+        "rev": "9c7670a4c341ed3cf738a6242c0fde1cea40bccf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ravitemer",
+        "repo": "mcp-hub",
+        "type": "github"
+      }
+    },
     "nixCats": {
       "locked": {
-        "lastModified": 1763330129,
-        "narHash": "sha256-KbOeWIF52SV53BOeETGO2C5ewaV2Ex9iaXH7G72gOr8=",
+        "lastModified": 1767604651,
+        "narHash": "sha256-itAnxzTpWpY1s3LA/oNngOuZDXT5U5JUZP5fApwx9gs=",
         "owner": "BirdeeHub",
         "repo": "nixCats-nvim",
-        "rev": "c81551ed87db2aefab30a12cf7425ff94dc0ad64",
+        "rev": "3c9bc4d7123e1b48d92f25ba505b889af541e897",
         "type": "github"
       },
       "original": {
@@ -17,11 +57,27 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1763464769,
-        "narHash": "sha256-AJHrsT7VoeQzErpBRlLJM1SODcaayp0joAoEA35yiwM=",
+        "lastModified": 1743689281,
+        "narHash": "sha256-y7Hg5lwWhEOgflEHRfzSH96BOt26LaYfrYWzZ+VoVdg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "2bfc080955153be0be56724be6fa5477b4eefabb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1768302833,
+        "narHash": "sha256-h5bRFy9bco+8QcK7rGoOiqMxMbmn21moTACofNLRMP4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6f374686605df381de8541c072038472a5ea2e2d",
+        "rev": "61db79b0c6b838d9894923920b612048e1201926",
         "type": "github"
       },
       "original": {
@@ -47,22 +103,6 @@
         "type": "github"
       }
     },
-    "plugins-crazy-node-movement": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1693654676,
-        "narHash": "sha256-hQcQEp39zFN2zphMfcr97yRVcuHhBsSkzKO7XNloDpQ=",
-        "owner": "theHamsta",
-        "repo": "crazy-node-movement",
-        "rev": "d5cf01cc44c5715501d3d6fe439af7c8b7fa5df2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "theHamsta",
-        "repo": "crazy-node-movement",
-        "type": "github"
-      }
-    },
     "plugins-helm-ls-nvim": {
       "flake": false,
       "locked": {
@@ -79,14 +119,30 @@
         "type": "github"
       }
     },
+    "plugins-m-taskwarrior-d-nvim": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1767960157,
+        "narHash": "sha256-ov0qi4LhIlwqrBzSbTJ6APC5qjl2d/vlKWJfW5ZiDrg=",
+        "owner": "huantrinh1802",
+        "repo": "m_taskwarrior_d.nvim",
+        "rev": "107247387cd81823046bc2b8e71150c8edf041d3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "huantrinh1802",
+        "repo": "m_taskwarrior_d.nvim",
+        "type": "github"
+      }
+    },
     "plugins-mcphub-nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1759035242,
-        "narHash": "sha256-I6EbgY/2sAdtrxtmH0qbAAQvMCHhOsfolJfblV0fXOk=",
+        "lastModified": 1765628564,
+        "narHash": "sha256-nvWqCGRKhbUHsAM/zd+cwFdcoXXxf6EmcCkpN4mElf4=",
         "owner": "ravitemer",
         "repo": "mcphub.nvim",
-        "rev": "8ff40b5edc649959bb7e89d25ae18e055554859a",
+        "rev": "5193329d510a68f1f5bf189960642c925c177a3a",
         "type": "github"
       },
       "original": {
@@ -130,11 +186,11 @@
     "plugins-tailwind-fold-nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1752559116,
-        "narHash": "sha256-8uefZIVsn9USEd6FyiO3m3TRKAS/vigU4t9Tk5ijd3c=",
+        "lastModified": 1766077142,
+        "narHash": "sha256-SwcDLlygXUSV/dytPXA5Y45OpUhjnExc8SZg5a8MZ2k=",
         "owner": "razak17",
         "repo": "tailwind-fold.nvim",
-        "rev": "d9e7ca11691d252b35795726dff087bf013b2ebf",
+        "rev": "e2ba5ee1ca9b74208709fe9d7314b8aa753b26a7",
         "type": "github"
       },
       "original": {
@@ -145,11 +201,12 @@
     },
     "root": {
       "inputs": {
+        "mcp-hub": "mcp-hub",
         "nixCats": "nixCats",
-        "nixpkgs": "nixpkgs",
+        "nixpkgs": "nixpkgs_2",
         "plugins-beancount-nvim": "plugins-beancount-nvim",
-        "plugins-crazy-node-movement": "plugins-crazy-node-movement",
         "plugins-helm-ls-nvim": "plugins-helm-ls-nvim",
+        "plugins-m-taskwarrior-d-nvim": "plugins-m-taskwarrior-d-nvim",
         "plugins-mcphub-nvim": "plugins-mcphub-nvim",
         "plugins-nvimkit-nvim": "plugins-nvimkit-nvim",
         "plugins-shipwright-nvim": "plugins-shipwright-nvim",

dots/.config/nvim/flake.nix

@@ -2,13 +2,14 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
     nixCats.url = "github:BirdeeHub/nixCats-nvim";
+    mcp-hub.url = "github:ravitemer/mcp-hub";
 
     plugins-shipwright-nvim = {
       url = "github:rktjmp/shipwright.nvim";
       flake = false;
     };
-    plugins-crazy-node-movement = {
-      url = "github:theHamsta/crazy-node-movement";
+    plugins-m-taskwarrior-d-nvim = {
+      url = "github:huantrinh1802/m_taskwarrior_d.nvim";
       flake = false;
     };
     plugins-beancount-nvim = {
@@ -47,8 +48,11 @@
       forEachSystem = utils.eachSystem nixpkgs.lib.platforms.all;
       extra_pkg_config = { };
 
-      dependencyOverlays = [
+      mkDependencyOverlays = system: [
         (utils.standardPluginOverlay inputs)
+        (final: prev: {
+          mcp-hub = inputs.mcp-hub.packages.${system}.default;
+        })
       ];
 
       categoryDefinitions =
@@ -62,17 +66,23 @@
               black
               clang
               clang-tools
+              delta
+              fd
               gawk
               gdtoolkit_4
               isort
-              tree-sitter
-              ormolu
-              nodePackages.prettier
+              mcp-hub
               nixd
               nixfmt
+              nodePackages.prettier
+              nodePackages.typescript-language-server
+              ormolu
               prettierd
+              rustfmt
               shellcheck-minimal
+              stylelint
               stylua
+              tree-sitter
               vscode-langservers-extracted
             ];
           };
@@ -123,10 +133,9 @@
               pkgs.neovimPlugins.shipwright-nvim
               lush-nvim
               zenbones-nvim
-              pkgs.neovimPlugins.crazy-node-movement
               nvim-treesitter.withAllGrammars
               nvim-treesitter-textobjects
-              # nvim-treesitter-context
+              nvim-treesitter-context
               nvim-ts-context-commentstring
               treesj
               sniprun
@@ -143,7 +152,11 @@
               copilot-lua
               copilot-cmp
               pkgs.neovimPlugins.helm-ls-nvim
-              pkgs.vimPlugins.kitty-scrollback-nvim
+              kitty-scrollback-nvim
+              fidget-nvim
+              rustaceanvim
+              pkgs.neovimPlugins.m-taskwarrior-d-nvim
+              claude-code-nvim
             ];
           };
 
@@ -180,6 +193,7 @@
     forEachSystem (
       system:
       let
+        dependencyOverlays = mkDependencyOverlays system;
         nixCatsBuilder = utils.baseBuilder luaPath {
           inherit
             nixpkgs
@@ -199,7 +213,7 @@
             name = defaultPackageName;
             packages = [ defaultPackage ];
             inputsFrom = [ ];
-            shellHook = '''';
+            shellHook = "";
           };
         };
 
@@ -211,31 +225,32 @@
           moduleNamespace = [ defaultPackageName ];
           inherit
             defaultPackageName
-            dependencyOverlays
             luaPath
             categoryDefinitions
             packageDefinitions
             extra_pkg_config
             nixpkgs
             ;
+          dependencyOverlays = mkDependencyOverlays;
         };
         homeModule = utils.mkHomeModules {
           moduleNamespace = [ defaultPackageName ];
           inherit
             defaultPackageName
-            dependencyOverlays
             luaPath
             categoryDefinitions
             packageDefinitions
             extra_pkg_config
             nixpkgs
             ;
+          dependencyOverlays = mkDependencyOverlays;
         };
       in
       {
 
         overlays = utils.makeOverlays luaPath {
-          inherit nixpkgs dependencyOverlays extra_pkg_config;
+          inherit nixpkgs extra_pkg_config;
+          dependencyOverlays = mkDependencyOverlays;
         } categoryDefinitions packageDefinitions defaultPackageName;
 
         nixosModules.default = nixosModule;

dots/.config/nvim/lua/paq-setup.lua

@@ -43,4 +43,5 @@ require("nixCatsUtils.catPacker").setup({
   { "zbirenbaum/copilot-cmp" },
   { "qvalentin/helm-ls.nvim", ft = "helm" },
   { "mikesmithgh/kitty-scrollback.nvim" },
+  { "greggh/claude-code.nvim" },
 })

flake.lock

@@ -29,11 +29,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1764561884,
-        "narHash": "sha256-vQ3iFPPhxsLqV3c5kgmYP53mVD6id6gsP0tN+oTmqok=",
+        "lastModified": 1768709017,
+        "narHash": "sha256-/Xc5B/+6nbX24iSaPbN/+wiVqGS50/LS4y53tzTvN0o=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "aba4621459aec251d90d6452e3495b58a8a5e185",
+        "rev": "5728e3d62c3af09445cb013e304d627f6589efc4",
         "type": "gitlab"
       },
       "original": {
@@ -43,6 +43,28 @@
         "type": "gitlab"
       }
     },
+    "flake-parts": {
+      "inputs": {
+        "nixpkgs-lib": [
+          "nvim",
+          "mcp-hub",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1743550720,
+        "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=",
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "rev": "c621e8422220273271f52058f618c94e405bb0f5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "flake-parts",
+        "type": "github"
+      }
+    },
     "flake-utils": {
       "inputs": {
         "systems": "systems"
@@ -68,11 +90,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764544324,
-        "narHash": "sha256-GVBGjO7UsmzLrlOJV8NlKSxukHaHencrJqWkCA6FkqI=",
+        "lastModified": 1768707181,
+        "narHash": "sha256-GdwFfnwdUgABFpc4sAmX7GYx8eQs6cEjOPo6nBJ0YaI=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "e4e25a8c310fa45f2a8339c7972dc43d2845a612",
+        "rev": "83bcb17377f0242376a327e742e9404e9a528647",
         "type": "github"
       },
       "original": {
@@ -81,13 +103,32 @@
         "type": "github"
       }
     },
+    "mcp-hub": {
+      "inputs": {
+        "flake-parts": "flake-parts",
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1755841689,
+        "narHash": "sha256-KakvXZf0vjdqzyT+LsAKHEr4GLICGXPmxl1hZ3tI7Yg=",
+        "owner": "ravitemer",
+        "repo": "mcp-hub",
+        "rev": "9c7670a4c341ed3cf738a6242c0fde1cea40bccf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ravitemer",
+        "repo": "mcp-hub",
+        "type": "github"
+      }
+    },
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1764371082,
-        "narHash": "sha256-yxFxEKXFuXFyFIDZY1gla2OyuqcIE3uT8KDDgTmm3cE=",
+        "lastModified": 1768726358,
+        "narHash": "sha256-OFD8qqNfGnLnL+15Hpzl6jhuzb4KVuVNz0zfPBz8lyo=",
         "ref": "main",
-        "rev": "b9c2ce32cc4c95d7ff01372faea2668407ef8d27",
+        "rev": "84db870708bb281edf24f626d1e105e8a8ea0b3f",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/hektor/nix-secrets"
@@ -101,11 +142,11 @@
     },
     "nixCats": {
       "locked": {
-        "lastModified": 1764009888,
-        "narHash": "sha256-hJekfTiW1792txgRSM4LcHnz1lDSY87LYbsJEn2V378=",
+        "lastModified": 1767604651,
+        "narHash": "sha256-itAnxzTpWpY1s3LA/oNngOuZDXT5U5JUZP5fApwx9gs=",
         "owner": "BirdeeHub",
         "repo": "nixCats-nvim",
-        "rev": "16ac3281f322ea15d39843829e42a44d22da3715",
+        "rev": "3c9bc4d7123e1b48d92f25ba505b889af541e897",
         "type": "github"
       },
       "original": {
@@ -137,11 +178,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1764440730,
-        "narHash": "sha256-ZlJTNLUKQRANlLDomuRWLBCH5792x+6XUJ4YdFRjtO4=",
+        "lastModified": 1768584846,
+        "narHash": "sha256-IRPmIOV2tPwxbhP/I9M5AmwhTC0lMPtoPStC+8T6xl0=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "9154f4569b6cdfd3c595851a6ba51bfaa472d9f3",
+        "rev": "cce68f4a54fa4e3d633358364477f5cc1d782440",
         "type": "github"
       },
       "original": {
@@ -153,11 +194,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1764517877,
-        "narHash": "sha256-pp3uT4hHijIC8JUK5MEqeAWmParJrgBVzHLNfJDZxg4=",
+        "lastModified": 1768564909,
+        "narHash": "sha256-Kell/SpJYVkHWMvnhqJz/8DqQg2b6PguxVWOuadbHCc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2d293cbfa5a793b4c50d17c05ef9e385b90edf6c",
+        "rev": "e4bae1bd10c9c57b2cf517953ab70060a828ee6f",
         "type": "github"
       },
       "original": {
@@ -167,15 +208,32 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1743689281,
+        "narHash": "sha256-y7Hg5lwWhEOgflEHRfzSH96BOt26LaYfrYWzZ+VoVdg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "2bfc080955153be0be56724be6fa5477b4eefabb",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nvim": {
       "inputs": {
+        "mcp-hub": "mcp-hub",
         "nixCats": "nixCats",
         "nixpkgs": [
           "nixpkgs"
         ],
         "plugins-beancount-nvim": "plugins-beancount-nvim",
-        "plugins-crazy-node-movement": "plugins-crazy-node-movement",
         "plugins-helm-ls-nvim": "plugins-helm-ls-nvim",
+        "plugins-m-taskwarrior-d-nvim": "plugins-m-taskwarrior-d-nvim",
         "plugins-mcphub-nvim": "plugins-mcphub-nvim",
         "plugins-nvimkit-nvim": "plugins-nvimkit-nvim",
         "plugins-shipwright-nvim": "plugins-shipwright-nvim",
@@ -207,22 +265,6 @@
         "type": "github"
       }
     },
-    "plugins-crazy-node-movement": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1693654676,
-        "narHash": "sha256-hQcQEp39zFN2zphMfcr97yRVcuHhBsSkzKO7XNloDpQ=",
-        "owner": "theHamsta",
-        "repo": "crazy-node-movement",
-        "rev": "d5cf01cc44c5715501d3d6fe439af7c8b7fa5df2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "theHamsta",
-        "repo": "crazy-node-movement",
-        "type": "github"
-      }
-    },
     "plugins-helm-ls-nvim": {
       "flake": false,
       "locked": {
@@ -239,14 +281,30 @@
         "type": "github"
       }
     },
+    "plugins-m-taskwarrior-d-nvim": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1767960157,
+        "narHash": "sha256-ov0qi4LhIlwqrBzSbTJ6APC5qjl2d/vlKWJfW5ZiDrg=",
+        "owner": "huantrinh1802",
+        "repo": "m_taskwarrior_d.nvim",
+        "rev": "107247387cd81823046bc2b8e71150c8edf041d3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "huantrinh1802",
+        "repo": "m_taskwarrior_d.nvim",
+        "type": "github"
+      }
+    },
     "plugins-mcphub-nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1759035242,
-        "narHash": "sha256-I6EbgY/2sAdtrxtmH0qbAAQvMCHhOsfolJfblV0fXOk=",
+        "lastModified": 1765628564,
+        "narHash": "sha256-nvWqCGRKhbUHsAM/zd+cwFdcoXXxf6EmcCkpN4mElf4=",
         "owner": "ravitemer",
         "repo": "mcphub.nvim",
-        "rev": "8ff40b5edc649959bb7e89d25ae18e055554859a",
+        "rev": "5193329d510a68f1f5bf189960642c925c177a3a",
         "type": "github"
       },
       "original": {
@@ -290,11 +348,11 @@
     "plugins-tailwind-fold-nvim": {
       "flake": false,
       "locked": {
-        "lastModified": 1752559116,
-        "narHash": "sha256-8uefZIVsn9USEd6FyiO3m3TRKAS/vigU4t9Tk5ijd3c=",
+        "lastModified": 1766077142,
+        "narHash": "sha256-SwcDLlygXUSV/dytPXA5Y45OpUhjnExc8SZg5a8MZ2k=",
         "owner": "razak17",
         "repo": "tailwind-fold.nvim",
-        "rev": "d9e7ca11691d252b35795726dff087bf013b2ebf",
+        "rev": "e2ba5ee1ca9b74208709fe9d7314b8aa753b26a7",
         "type": "github"
       },
       "original": {
@@ -323,11 +381,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1764483358,
-        "narHash": "sha256-EyyvCzXoHrbL467YSsQBTWWg4sR96MH1sPpKoSOelB4=",
+        "lastModified": 1768709255,
+        "narHash": "sha256-aigyBfxI20FRtqajVMYXHtj5gHXENY2gLAXEhfJ8/WM=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5aca6ff67264321d47856a2ed183729271107c9c",
+        "rev": "5e8fae80726b66e9fec023d21cd3b3e638597aa9",
         "type": "github"
       },
       "original": {

flake.nix

@@ -5,7 +5,6 @@
     };
     nixos-hardware = {
       url = "github:NixOS/nixos-hardware/master";
-      inputs.nixpkgs.follows = "nixpkgs";
     };
     disko = {
       url = "github:nix-community/disko/latest";
@@ -51,6 +50,7 @@
       nvim,
     }@inputs:
     let
+      inherit (self) outputs;
       lib = inputs.nixpkgs.lib;
       utils = import ./utils { inherit lib; };
       hostDirNames = utils.dirNames ./hosts;
@@ -68,14 +68,18 @@
         host:
         nixpkgs.lib.nixosSystem {
           modules = [ ./hosts/${host} ];
-          specialArgs = { inherit inputs; };
+          specialArgs = {
+            inherit inputs outputs;
+          };
         }
       );
       homeConfigurations = {
         work = home-manager.lib.homeManagerConfiguration {
           inherit pkgs;
           modules = [ ./home/hosts/work ];
-          extraSpecialArgs = { inherit inputs; };
+          extraSpecialArgs = {
+            inherit inputs outputs;
+          };
         };
       };
     };

home/hosts/andromache/default.nix

@@ -6,14 +6,53 @@
   ...
 }:
 
+let
+  username = "h";
+in
 {
   imports = [
-    (import ../astyanax {
-      inherit inputs;
-      inherit config;
-      inherit pkgs;
-    })
+    ../../modules/desktop/niri
+    ../../modules/git.nix
+    ../../modules/hetzner
+    ../../modules/k9s.nix
+    ../../modules/kitty.nix
+    ../../modules/ssh.nix
+    ../../modules/taskwarrior.nix
+    ../../modules/keepassxc.nix
+    ../../modules/anki.nix
+    ../../modules/browser
+    ../../modules/shell
   ];
 
-  programs.taskwarrior.config.recurrence = lib.mkForce "on";
+  home.stateVersion = "25.05";
+  home.username = username;
+  home.homeDirectory = "/home/${username}";
+
+  xdg.userDirs.createDirectories = false;
+  xdg.userDirs.download = "${config.home.homeDirectory}/dl";
+
+  browser.primary = "librewolf";
+
+  shell.bash = {
+    enable = true;
+    aliases.lang-js = true;
+  };
+
+  programs = {
+    home-manager.enable = true;
+    taskwarrior.config.recurrence = lib.mkForce "on";
+  };
+
+  home.packages = import ../packages.nix {
+    inherit pkgs;
+    inherit config;
+  };
+
+  home.file = {
+    ".config/kitty/kitty.conf".source = ../../../dots/.config/kitty/kitty.conf;
+    ".config/kitty/themes/zenwritten_light.conf".source =
+      ../../../dots/.config/kitty/themes/zenwritten_light.conf;
+    ".config/kitty/themes/zenwritten_dark.conf".source =
+      ../../../dots/.config/kitty/themes/zenwritten_dark.conf;
+  };
 }

home/hosts/astyanax/default.nix

@@ -10,13 +10,17 @@ let
 in
 {
   imports = [
-    ../../modules/dconf.nix # TODO: Only enable when on Gnome?
+    ../../modules/anki.nix
+    ../../modules/desktop/niri
     ../../modules/git.nix
+    ../../modules/hetzner
     ../../modules/k9s.nix
-    (import ../../modules/taskwarrior.nix {
-      inherit config;
-      inherit pkgs;
-    })
+    ../../modules/kitty.nix
+    ../../modules/ssh.nix
+    ../../modules/taskwarrior.nix
+    ../../modules/keepassxc.nix
+    ../../modules/browser
+    ../../modules/shell
   ];
 
   home.stateVersion = "25.05";
@@ -26,48 +30,23 @@ in
   xdg.userDirs.createDirectories = false;
   xdg.userDirs.download = "${config.home.homeDirectory}/dl";
 
+  browser.primary = "librewolf";
+
+  shell.bash = {
+    enable = true;
+    aliases.lang-js = true;
+  };
+
   programs = {
-    bash = {
-      enable = true;
-      enableCompletion = true;
-      initExtra = ''
-        for f in /home/h/.bashrc.d/*; do
-          [ -f "$f" ] && source "$f"
-        done
-
-        source /home/h/.bash_aliases/all
-        source /home/h/.bash_aliases/lang-js
-
-        # host-specific config goes here
-        # ...
-
-        export PATH=${../../../dots/.bin}:$PATH
-      '';
-    };
-    firefox = import ../../modules/firefox.nix {
-      inherit inputs;
-      inherit pkgs;
-      inherit config;
-    };
-    fzf = {
-      enable = true;
-      enableBashIntegration = true;
-    };
     home-manager.enable = true;
-    keepassxc = import ../../modules/keepassxc.nix;
   };
 
-  home.packages = import ./packages.nix {
+  home.packages = import ../packages.nix {
     inherit pkgs;
     inherit config;
   };
 
   home.file = {
-    ".inputrc".source = ../../../dots/.inputrc;
-    ".bashrc.d/prompt".source = ../../../dots/.bashrc.d/prompt;
-    ".bashrc.d/editor".source = ../../../dots/.bashrc.d/editor;
-    ".bash_aliases/all".source = ../../../dots/.bash_aliases/all;
-    ".bash_aliases/lang-js".source = ../../../dots/.bash_aliases/lang-js;
     ".config/kitty/kitty.conf".source = ../../../dots/.config/kitty/kitty.conf;
     ".config/kitty/themes/zenwritten_light.conf".source =
       ../../../dots/.config/kitty/themes/zenwritten_light.conf;

home/hosts/packages.nix

@@ -3,50 +3,34 @@
 with pkgs;
 [
   bash-completion
-  bash-language-server
   bat
-  brightnessctl
   entr
-  eslint_d
   feh
   fzf
   gh
   git
-  haskell-language-server
   haskellPackages.pandoc-crossref
-  haskellPackages.hadolint
   htop
   jq
-  kitty
-  lua-language-server
   nixfmt-rfc-style
   nmap
   nodejs_24
   nvimpager
-  ormolu
   pandoc
   parallel
   pass
   pnpm
+  python3
   ripgrep
+  signal-desktop
   silver-searcher
   sops
   sshfs
-  stylelint
-  svelte-language-server
-  tailwindcss-language-server
   tldr
   tmux
   tmuxp
   tree
-  tree-sitter
-  typescript-language-server
   unzip
-  vim-language-server
   vimPlugins.vim-plug
-  vtsls
   wget
-  xbanish
-  xclip
-  yaml-language-server
 ]

home/hosts/work/default.nix

@@ -10,11 +10,39 @@ let
 in
 {
   imports = [
+    inputs.sops-nix.homeManagerModules.sops
     ../../modules/dconf.nix
     ../../modules/git.nix
     ../../modules/k9s.nix
+    ../../modules/keepassxc.nix
+    ../../modules/kitty.nix
+    ../../modules/nvim.nix
+    ../../modules/browser
+    ../../modules/shell
+    ../../modules/taskwarrior.nix
   ];
 
+  sops = {
+    age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
+    defaultSopsFile = "${inputs.nix-secrets}/secrets.yaml";
+
+    secrets = {
+      taskwarrior_sync_server_url = { };
+      taskwarrior_sync_server_client_id = { };
+      taskwarrior_sync_encryption_secret = { };
+      anki_sync_user = { };
+      anki_sync_key = { };
+    };
+
+    templates."taskrc.d/sync" = {
+      content = ''
+        sync.server.url=${config.sops.placeholder.taskwarrior_sync_server_url}
+        sync.server.client_id=${config.sops.placeholder.taskwarrior_sync_server_client_id}
+        sync.encryption_secret=${config.sops.placeholder.taskwarrior_sync_encryption_secret}
+      '';
+    };
+  };
+
   nixpkgs.config.allowUnfree = true;
 
   home.stateVersion = "25.05";
@@ -26,15 +54,14 @@ in
     defaultWrapper = "mesa";
   };
 
+  browser.primary = "firefox";
+  browser.secondary = "chromium";
+
+  shell.bash.enable = true;
+  starship.enable = true;
+
   programs = {
-    # editorconfig.enable = true;
-    firefox = import ../../modules/firefox.nix {
-      inherit inputs;
-      inherit pkgs;
-      inherit config;
-    };
     gh.enable = true;
-    keepassxc = import ../../modules/keepassxc.nix;
     kubecolor.enable = true;
   };
 

home/hosts/work/packages.nix

@@ -13,7 +13,4 @@ let
       [ ];
 in
 
-(with pkgs; [
-  inputs.nvim.packages.x86_64-linux.nvim
-])
-++ localPackages
+[ ] ++ localPackages

home/modules/anki.nix

@@ -1,6 +1,33 @@
 {
+  config,
+  lib,
+  pkgs,
+  osConfig ? null,
+  ...
+}:
+
+let
+  hmSopsAvailable = config ? sops && config.sops ? secrets;
+  osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? secrets;
+  sopsAvailable = hmSopsAvailable || osSopsAvailable;
+
+  sopsSecrets = if hmSopsAvailable then config.sops.secrets else osConfig.sops.secrets;
+in
+{
+  warnings = lib.optional (
+    !sopsAvailable && config.programs.anki.enable
+  ) "anki is enabled but sops secrets are not available. anki sync will not be configured.";
+
+  programs.anki = {
     enable = true;
-  # sync = {
-  #   username = config.sops.secrets."email/personal".path;
-  # };
+    addons = with pkgs.ankiAddons; [
+      anki-connect
+      puppy-reinforcement
+      review-heatmap
+    ];
+    sync = lib.mkIf sopsAvailable {
+      usernameFile = "${sopsSecrets."anki_sync_user".path}";
+      keyFile = "${sopsSecrets."anki_sync_key".path}";
+    };
+  };
 }

home/modules/browser/bookmarks.nix

@@ -0,0 +1,19 @@
+{
+  nixos = {
+    name = "NixOS";
+    bookmarks = [
+      {
+        name = "wiki";
+        url = "https://wiki.nixos.org/wiki/NixOS_Wiki";
+      }
+      {
+        name = "packages";
+        url = "https://search.nixos.org/packages";
+      }
+      {
+        name = "options";
+        url = "https://search.nixos.org/options";
+      }
+    ];
+  };
+}

home/modules/browser/chromium.nix

@@ -0,0 +1,12 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  config = lib.mkIf (config.browser.primary == "chromium" || config.browser.secondary == "chromium") {
+    home.packages = [ pkgs.chromium ];
+  };
+}

home/modules/browser/default.nix

@@ -0,0 +1,31 @@
+{ lib, ... }:
+
+{
+  options.browser = {
+    primary = lib.mkOption {
+      type = lib.types.enum [
+        "firefox"
+        "chromium"
+        "librewolf"
+      ];
+      default = "firefox";
+    };
+
+    secondary = lib.mkOption {
+      type = lib.types.nullOr (
+        lib.types.enum [
+          "firefox"
+          "chromium"
+          "librewolf"
+        ]
+      );
+      default = null;
+    };
+  };
+
+  imports = [
+    ./firefox.nix
+    ./librewolf.nix
+    ./chromium.nix
+  ];
+}

home/modules/browser/firefox.nix

@@ -0,0 +1,89 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  bookmarks = import ./bookmarks.nix;
+in
+
+{
+  config = lib.mkIf (config.browser.primary == "firefox" || config.browser.secondary == "firefox") {
+    programs.firefox = {
+      enable = true;
+      nativeMessagingHosts = with pkgs; [
+        tridactyl-native
+      ];
+      profiles = {
+        default = {
+          settings = {
+            "signon.rememberSignons" = false;
+            "findbar.highlightAll" = true;
+            "extensions.autoDisableScopes" = 0;
+          };
+          extensions = {
+            packages = with inputs.firefox-addons.packages.${pkgs.system}; [
+              duckduckgo-privacy-essentials
+              istilldontcareaboutcookies
+              libredirect
+              keepassxc-browser
+              react-devtools
+              sponsorblock
+              tridactyl
+              ublock-origin
+            ];
+          };
+          bookmarks = {
+            force = true;
+            settings = [
+              {
+                toolbar = true;
+                bookmarks = [
+                  bookmarks.nixos
+                ];
+              }
+            ];
+          };
+        };
+      };
+      policies = {
+        DefaultDownloadDirectory = "\${home}/dl";
+        ExtensionSettings = {
+          "jid1-ZAdIEUB7XOzOJw@jetpack" = {
+            default_area = "navbar";
+            private_browsing = true;
+          };
+          "idcac-pub@guus.ninja" = {
+            default_area = "navbar";
+            private_browsing = true;
+          };
+          "7esoorv3@alefvanoon.anonaddy.me" = {
+            default_area = "navbar";
+          };
+          "keepassxc-browser@keepassxc.org" = {
+            default_area = "navbar";
+            private_browsing = true;
+          };
+          "@react-devtools" = {
+            default_area = "navbar";
+            private_browsing = true;
+          };
+          "sponsorBlocker@ajay.app" = {
+            default_area = "navbar";
+            private_browsing = true;
+          };
+          "tridactyl.vim@cmcaine.co.uk".settings = {
+            private_browsing = true;
+          };
+          "uBlock0@raymondhill.net".settings = {
+            default_area = "navbar";
+            private_browsing = true;
+          };
+        };
+      };
+    };
+  };
+}

home/modules/browser/librewolf.nix

@@ -0,0 +1,91 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+
+let
+  bookmarks = import ./bookmarks.nix;
+in
+
+{
+  config =
+    lib.mkIf (config.browser.primary == "librewolf" || config.browser.secondary == "librewolf")
+      {
+        programs.librewolf = {
+          enable = true;
+          nativeMessagingHosts = with pkgs; [
+            tridactyl-native
+          ];
+          profiles = {
+            default = {
+              settings = {
+                "signon.rememberSignons" = false;
+                "findbar.highlightAll" = true;
+                "extensions.autoDisableScopes" = 0;
+              };
+              extensions = {
+                packages = with inputs.firefox-addons.packages.${pkgs.system}; [
+                  duckduckgo-privacy-essentials
+                  istilldontcareaboutcookies
+                  libredirect
+                  keepassxc-browser
+                  react-devtools
+                  sponsorblock
+                  tridactyl
+                  ublock-origin
+                ];
+              };
+              bookmarks = {
+                force = true;
+                settings = [
+                  {
+                    toolbar = true;
+                    bookmarks = [
+                      bookmarks.nixos
+                    ];
+                  }
+                ];
+              };
+            };
+          };
+          policies = {
+            DefaultDownloadDirectory = "\${home}/dl";
+            ExtensionSettings = {
+              "jid1-ZAdIEUB7XOzOJw@jetpack" = {
+                default_area = "navbar";
+                private_browsing = true;
+              };
+              "idcac-pub@guus.ninja" = {
+                default_area = "navbar";
+                private_browsing = true;
+              };
+              "7esoorv3@alefvanoon.anonaddy.me" = {
+                default_area = "navbar";
+              };
+              "keepassxc-browser@keepassxc.org" = {
+                default_area = "navbar";
+                private_browsing = true;
+              };
+              "@react-devtools" = {
+                default_area = "navbar";
+                private_browsing = true;
+              };
+              "sponsorBlocker@ajay.app" = {
+                default_area = "navbar";
+                private_browsing = true;
+              };
+              "tridactyl.vim@cmcaine.co.uk".settings = {
+                private_browsing = true;
+              };
+              "uBlock0@raymondhill.net".settings = {
+                default_area = "navbar";
+                private_browsing = true;
+              };
+            };
+          };
+        };
+      };
+}

home/modules/desktop/niri/config.kdl

@@ -0,0 +1,183 @@
+input {
+    touchpad {
+        tap
+        natural-scroll
+    }
+    mouse {
+        accel-profile "flat"
+    }
+}
+
+// NOTE: monitors are managed using `shikane` instead, as I assume this to be
+// too limited for multiple multimonitor configurations. Below is an example
+// for a simple, fixed, vertical dual monitor setup
+
+// output "eDP-1" {
+//   position x=0 y=1440
+// }
+//
+// output "DP-5" {
+//   position x=0 y=0
+// }
+
+layout {
+    gaps 4
+    struts {}
+    center-focused-column "never"
+    preset-column-widths {
+        proportion 0.382
+        proportion 0.618
+        proportion 1.0
+    }
+    default-column-width { }
+    focus-ring {
+        off
+    }
+    border {
+        width 2
+        active-color "#555555"
+        inactive-color "#55555511"
+        urgent-color "#ff0000"
+    }
+    shadow {
+        on
+        softness 32
+        spread 4
+        offset x=0 y=0
+        color "#0007"
+    }
+}
+
+spawn-at-startup "wlsunset -l 51.05 -L 3.72"
+spawn-at-startup "waybar"
+
+hotkey-overlay {
+    skip-at-startup
+}
+
+prefer-no-csd
+
+screenshot-path "~/doc/screenshots/%Y-%m-%d %H-%M-%S.png"
+
+// https://yalter.github.io/niri/Configuration:-Animations
+animations {
+    slowdown 0.66
+}
+
+window-rule {
+    match app-id=r#"firefox$"# title="^Picture-in-Picture$"
+    open-floating true
+}
+
+window-rule {
+    match app-id=r#"^org\.keepassxc\.KeePassXC$"#
+    block-out-from "screen-capture"
+}
+
+window-rule {
+    geometry-corner-radius 0
+    clip-to-geometry true
+}
+
+gestures {
+  hot-corners {
+    off
+  }
+}
+
+binds {
+    Mod+Slash { show-hotkey-overlay; }
+
+    Mod+Return hotkey-overlay-title="Open a Terminal: kitty"     { spawn "kitty"; }
+    Mod+P hotkey-overlay-title="Run an Application: fuzzel"      { spawn "fuzzel"; }
+    Super+Alt+L hotkey-overlay-title="Lock the Screen: swaylock" { spawn "swaylock"; }
+
+    XF86AudioRaiseVolume allow-when-locked=true { spawn-sh "wpctl set-volume @DEFAULT_AUDIO_SINK@ 0.1+"; }
+    XF86AudioLowerVolume allow-when-locked=true { spawn-sh "wpctl set-volume @DEFAULT_AUDIO_SINK@ 0.1-"; }
+    XF86AudioMute        allow-when-locked=true { spawn-sh "wpctl set-mute @DEFAULT_AUDIO_SINK@ toggle"; }
+    XF86AudioMicMute     allow-when-locked=true { spawn-sh "wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle"; }
+
+    Mod+Shift+XF86Display { power-off-monitors; }
+    XF86MonBrightnessUp allow-when-locked=true   { spawn "brightnessctl" "--class=backlight" "set" "+10%"; }
+    XF86MonBrightnessDown allow-when-locked=true { spawn "brightnessctl" "--class=backlight" "set" "10%-"; }
+
+    Mod+O repeat=false            { toggle-overview; }
+    Mod+Delete repeat=false { close-window; }
+
+    Mod+H { focus-column-left; }
+    Mod+J { focus-window-or-workspace-down; }
+    Mod+K { focus-window-or-workspace-up; }
+    Mod+L { focus-column-right; }
+
+    Mod+Shift+H { move-column-left; }
+    Mod+Shift+J { move-window-down-or-to-workspace-down; }
+    Mod+Shift+K { move-window-up-or-to-workspace-up; }
+    Mod+Shift+L { move-column-right; }
+
+    Mod+Home      { focus-column-first; }
+    Mod+End       { focus-column-last; }
+    Mod+Ctrl+Home { move-column-to-first; }
+    Mod+Ctrl+End  { move-column-to-last; }
+
+    Mod+Left        { focus-monitor-left; }
+    Mod+Down        { focus-monitor-down; }
+    Mod+Up          { focus-monitor-up; }
+    Mod+Right       { focus-monitor-right; }
+    Mod+Shift+Left  { move-column-to-monitor-left; }
+    Mod+Shift+Down  { move-column-to-monitor-down; }
+    Mod+Shift+Up    { move-column-to-monitor-up; }
+    Mod+Shift+Right { move-column-to-monitor-right; }
+
+    Mod+Ctrl+Up   { move-workspace-down; }
+    Mod+Ctrl+Down { move-workspace-up; }
+
+    // Mod+WheelScrollDown       cooldown-ms=150 { focus-workspace-down; }
+    // Mod+WheelScrollUp         cooldown-ms=150 { focus-workspace-up; }
+    // Mod+Shift+WheelScrollDown cooldown-ms=150 { move-window-down-or-to-workspace-down; }
+    // Mod+Shift+WheelScrollUp   cooldown-ms=150 { move-window-up-or-to-workspace-up; }
+
+    // Mod+A { focus-workspace 1; }
+    // Mod+S { focus-workspace 2; }
+    // Mod+D { focus-workspace 3; }
+    // Mod+F { focus-workspace 4; }
+    // Mod+Shift+A { move-column-to-workspace 1; }
+    // Mod+Shift+S { move-column-to-workspace 2; }
+    // Mod+Shift+D { move-column-to-workspace 3; }
+    // Mod+Shift+F { move-column-to-workspace 4; }
+
+    Mod+Tab { focus-workspace-previous; }
+
+    Mod+BracketLeft  { consume-or-expel-window-left; }
+    Mod+BracketRight { consume-or-expel-window-right; }
+
+    Mod+Comma  { consume-window-into-column; }
+    Mod+Period { expel-window-from-column; }
+
+    Mod+N       { switch-preset-column-width; }
+    Mod+Shift+N { switch-preset-window-height; }
+    Mod+Ctrl+R  { reset-window-height; }
+
+    Mod+Space       { maximize-column; }
+    Mod+Shift+Space { fullscreen-window; }
+
+    Mod+Escape       { toggle-window-floating; }
+    Mod+Shift+Escape { switch-focus-between-floating-and-tiling; }
+
+    Mod+Ctrl+F { expand-column-to-available-width; }
+
+    Mod+C      { center-column; }
+    Mod+Ctrl+C { center-visible-columns; }
+
+    Mod+Minus       { set-column-width "-10%"; }
+    Mod+Equal       { set-column-width "+10%"; }
+    Mod+Shift+Minus { set-window-height "-10%"; }
+    Mod+Shift+Equal { set-window-height "+10%"; }
+
+    Mod+W { toggle-column-tabbed-display; }
+
+    Print      { screenshot; }
+    Ctrl+Print { screenshot-screen; }
+    Alt+Print  { screenshot-window; }
+
+    Mod+Shift+Delete { quit; }
+}

home/modules/desktop/niri/default.nix

@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+
+{
+  imports = [
+    ../../fuzzel
+    ../../mako
+    ../../shikane
+    ../../waybar
+  ];
+
+  home = {
+    file.".config/niri/config.kdl".source = ./config.kdl;
+    packages = with pkgs; [
+      wl-clipboard
+      wlsunset
+    ];
+  };
+}

home/modules/firefox.nix

@@ -1,93 +0,0 @@
-{ inputs, pkgs, ... }:
-
-{
-  enable = true;
-  nativeMessagingHosts = with pkgs; [
-    tridactyl-native
-  ];
-  policies = {
-    DefaultDownloadDirectory = "\${home}/dl";
-  };
-  profiles = {
-    default = {
-      settings = {
-        "signon.rememberSignons" = false;
-        "findbar.highlightAll" = true;
-        "extensions.autoDisableScopes" = 0; # Enable extensions by default <https://nix-community.github.io/home-manager/options.xhtml#opt-programs.firefox.profiles._name_.extensions.packages>
-      };
-      extensions = {
-        packages = with inputs.firefox-addons.packages.${pkgs.system}; [
-          duckduckgo-privacy-essentials
-          istilldontcareaboutcookies
-          libredirect
-          keepassxc-browser
-          react-devtools
-          sponsorblock
-          tridactyl
-          ublock-origin
-        ];
-      };
-      bookmarks = {
-        force = true;
-        settings = [
-          {
-            toolbar = true;
-            bookmarks = [
-              {
-                name = "NixOS";
-                bookmarks = [
-                  {
-                    name = "wiki";
-                    url = "https://wiki.nixos.org/wiki/NixOS_Wiki";
-                  }
-                  {
-                    name = "packages";
-                    url = "https://search.nixos.org/packages";
-                  }
-                  {
-                    name = "options";
-                    url = "https://search.nixos.org/options";
-                  }
-                ];
-              }
-            ];
-          }
-        ];
-      };
-    };
-  };
-  policies = {
-    ExtensionSettings = {
-      "jid1-ZAdIEUB7XOzOJw@jetpack" = {
-        default_area = "navbar";
-        private_browsing = true;
-      };
-      "idcac-pub@guus.ninja" = {
-        default_area = "navbar";
-        private_browsing = true;
-      };
-      "7esoorv3@alefvanoon.anonaddy.me" = {
-        default_area = "navbar";
-      };
-      "keepassxc-browser@keepassxc.org" = {
-        default_area = "navbar";
-        private_browsing = true;
-      };
-      "@react-devtools" = {
-        default_area = "navbar";
-        private_browsing = true;
-      };
-      "sponsorBlocker@ajay.app" = {
-        default_area = "navbar";
-        private_browsing = true;
-      };
-      "tridactyl.vim@cmcaine.co.uk".settings = {
-        private_browsing = true;
-      };
-      "uBlock0@raymondhill.net".settings = {
-        default_area = "navbar";
-        private_browsing = true;
-      };
-    };
-  };
-}

home/modules/fuzzel/default.nix

@@ -0,0 +1,28 @@
+{
+  programs.fuzzel = {
+    enable = true;
+    settings = {
+      main = {
+        font = "Iosevka Term SS08";
+        horizontal-pad = 0;
+        vertical-pad = 0;
+      };
+      colors = {
+        background = "ccccccff";
+        text = "111111ff";
+        prompt = "ccccccff";
+        placeholder = "aaaaaaff";
+        input = "111111ff";
+        selection = "eeeeeeff";
+        selection-text = "111111ff";
+        selection-match = "333333ff";
+        counter = "111111ff";
+        border = "111111ff";
+      };
+      border = {
+        width = 2;
+        radius = 0;
+      };
+    };
+  };
+}

home/modules/hcloud/default.nix

@@ -0,0 +1,16 @@
+{
+  config,
+  lib,
+  osConfig ? null,
+  ...
+}:
+
+let
+  isNixOS = osConfig != null;
+in
+{
+  config = {
+    warnings = lib.optional (!isNixOS)
+      "hcloud module requires NixOS host configuration. This module will not work with standalone home-manager.";
+  };
+}

home/modules/hetzner/default.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+
+{
+  home = {
+    packages = with pkgs; [ hcloud ];
+  };
+}

home/modules/keepassxc.nix

@@ -1,4 +1,11 @@
+{ pkgs, ... }:
+
 {
+  programs.keepassxc = {
     enable = true;
-  # TODO: https://mynixos.com/home-manager/option/programs.keepassxc.settings
+    settings = {
+      Browser.Enabled = true;
+    };
+  };
+  # programs.firefox.nativeMessagingHosts = [ pkgs.keepassxc ]; # FIXME: Resolve 'Access error for config file $HOME/.config/keepassxc/keepassxc.ini' error
 }

home/modules/kitty.nix

@@ -0,0 +1,10 @@
+{ pkgs, ... }:
+
+{
+  config = {
+    home.packages = [ pkgs.kitty ];
+    programs.bash.shellAliases = {
+      icat = "kitty +kitten icat";
+    };
+  };
+}

home/modules/mako/default.nix

@@ -0,0 +1,5 @@
+{
+  services.mako = {
+    enable = true;
+  };
+}

home/modules/nvim.nix

@@ -0,0 +1,9 @@
+{ inputs, ... }:
+
+{
+  config = {
+    home.packages = [
+      inputs.nvim.packages.${builtins.currentSystem}.nvim
+    ];
+  };
+}

home/modules/shell/bash.nix

@@ -0,0 +1,74 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.shell.bash;
+  username = config.home.username;
+  dotsPath = ../../../dots;
+in
+{
+  options.shell.bash = {
+    enable = lib.mkEnableOption "bash configuration";
+
+    aliases = {
+      all = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Enable common aliases";
+      };
+      lang-js = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Enable JavaScript/Node.js aliases";
+      };
+    };
+
+    addBinToPath = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Add dots .bin directory to PATH";
+    };
+
+    extraInit = lib.mkOption {
+      type = lib.types.lines;
+      default = "";
+      description = "Additional bash initialization";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    shell-utils.enable = lib.mkDefault true;
+
+    programs.bash = {
+      enable = true;
+      enableCompletion = true;
+      initExtra = ''
+        for f in /home/${username}/.bashrc.d/*; do
+          [ -f "$f" ] && source "$f"
+        done
+
+        ${lib.optionalString cfg.aliases.all "source /home/${username}/.bash_aliases/all"}
+        ${lib.optionalString cfg.aliases.lang-js "source /home/${username}/.bash_aliases/lang-js"}
+
+        ${lib.optionalString cfg.addBinToPath "export PATH=${dotsPath}/.bin:$PATH"}
+
+        ${cfg.extraInit}
+      '';
+    };
+
+    home.file = {
+      ".inputrc".source = dotsPath + "/.inputrc";
+      ".bashrc.d/prompt".source = dotsPath + "/.bashrc.d/prompt";
+      ".bashrc.d/editor".source = dotsPath + "/.bashrc.d/editor";
+    }
+    // lib.optionalAttrs cfg.aliases.all {
+      ".bash_aliases/all".source = dotsPath + "/.bash_aliases/all";
+    }
+    // lib.optionalAttrs cfg.aliases.lang-js {
+      ".bash_aliases/lang-js".source = dotsPath + "/.bash_aliases/lang-js";
+    };
+  };
+}

home/modules/shell/default.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./bash.nix
+    ./utils.nix
+    ./prompt.nix
+  ];
+}

home/modules/shell/prompt.nix

@@ -0,0 +1,17 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  options.starship = {
+    enable = lib.mkEnableOption "starship prompt";
+  };
+
+  config = lib.mkIf config.starship.enable {
+    programs.starship = {
+      enable = true;
+    };
+  };
+}

home/modules/shell/utils.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  options.shell-utils = {
+    enable = lib.mkEnableOption "shell utilities";
+  };
+
+  config = lib.mkIf config.shell-utils.enable {
+    programs.fzf = {
+      enable = true;
+      enableBashIntegration = lib.mkDefault true;
+    };
+
+    home.packages = with pkgs; [
+      ripgrep
+      bat
+      jq
+      entr
+      parallel
+    ];
+  };
+}

home/modules/shikane/default.nix

@@ -0,0 +1,6 @@
+{ pkgs, ... }:
+
+{
+  home.packages = with pkgs; [ wdisplays ];
+  services.shikane.enable = true;
+}

home/modules/ssh.nix

@@ -0,0 +1,25 @@
+{
+  outputs,
+  lib,
+  ...
+}:
+let
+  nixosConfigs = builtins.attrNames outputs.nixosConfigurations;
+  homeConfigs = map (n: lib.last (lib.splitString "@" n)) (
+    builtins.attrNames outputs.homeConfigurations
+  );
+  allHosts = lib.unique (homeConfigs ++ nixosConfigs);
+  hostsWithKeys = lib.filter (
+    hostname: builtins.pathExists ../../hosts/${hostname}/ssh_host.pub
+  ) allHosts;
+in
+{
+  programs.ssh = {
+    enable = true;
+    enableDefaultConfig = false;
+
+    matchBlocks = lib.genAttrs hostsWithKeys (hostname: {
+      host = hostname;
+    });
+  };
+}

home/modules/taskwarrior.nix

@@ -1,12 +1,24 @@
 {
   config,
+  lib,
   pkgs,
+  osConfig ? null,
   ...
 }:
 
+let
+  hmSopsAvailable = config ? sops && config.sops ? templates;
+  osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? templates;
+  sopsAvailable = hmSopsAvailable || osSopsAvailable;
+
+  sopsTemplates = if hmSopsAvailable then config.sops.templates else osConfig.sops.templates;
+in
 {
+  warnings =
+    lib.optional (!sopsAvailable && config.programs.taskwarrior.enable)
+      "taskwarrior is enabled, but sops templates are not available. taskwarrior sync will not be configured.";
+
   home.packages = with pkgs; [
-    python314
     libnotify
   ];
 
@@ -35,17 +47,10 @@
     package = taskwarrior3;
     colorTheme = "dark-256";
     config = {
-      # sync = {
-      #   server.url = "${builtins.readFile config.sops.secrets."taskwarrior_sync_server_url".path}";
-      #   server.client_id = "${builtins.readFile
-      #     config.sops.secrets."taskwarrior_sync_server_client_id".path
-      #   }";
-      #   encryption_secret = "${builtins.readFile
-      #     config.sops.secrets."taskwarrior_sync_encryption_secret".path
-      #   }";
-      # };
       recurrence = "off";
     };
-    extraConfig = "include ${config.sops.templates."taskrc.d/sync".path}";
+    extraConfig = lib.optionalString sopsAvailable ''
+      include ${sopsTemplates."taskrc.d/sync".path}
+    '';
   };
 }

home/modules/waybar/config.jsonc

@@ -0,0 +1,57 @@
+[
+  {
+    "height": 16,
+    "spacing": 4,
+    "modules-left": ["niri/workspaces"],
+    "modules-right": [
+      "pulseaudio",
+      "memory",
+      "cpu",
+      "network",
+      "clock",
+      "battery",
+    ],
+    "clock": {
+      "format": "W{:%V %d %b %H:%M}",
+      "tooltip-format": "{calendar}",
+      "format-alt": "{:%Y-%m-%d %H:%M:%S}",
+    },
+    "battery": {
+      "bat": "BAT0",
+      "adapter": "ADP1",
+      "interval": 5,
+      "full-at": 99,
+      "states": {
+        "good": 80,
+        "warning": 20,
+        "critical": 10,
+      },
+      "format": "{capacity}%--",
+      "format-charging": "{capacity}%++",
+      "format-plugged": "{capacity}%",
+      "format-alt": "{time} {power}W",
+    },
+    "pulseaudio": {
+      "format": "VOL {volume}%",
+      "format-muted": "muted",
+      "on-click": "pavucontrol",
+    },
+    "memory": {
+      "interval": 2,
+      "format": "RAM {percentage}%",
+      "format-alt": "RAM {used:0.1f}G/{total:0.1f}G",
+    },
+    "cpu": {
+      "interval": 2,
+      "format": "CPU {usage}%",
+      "format-alt": "CPU {avg_frequency}GHz",
+    },
+    "network": {
+      "interval": 5,
+      "format-wifi": "{ifname} {ipaddr} {essid}",
+      "format-ethernet": "{ifname} {ipaddr}",
+      "format-disconnected": "{ifname} disconnected",
+      "tooltip-format": "{ifname}: {ipaddr}/{cidr}",
+    },
+  },
+]

home/modules/waybar/default.nix

@@ -0,0 +1,8 @@
+{
+  programs.waybar = {
+    enable = true;
+  };
+
+  home.file.".config/waybar/config.jsonc".source = ./config.jsonc;
+  home.file.".config/waybar/style.css".source = ./style.css;
+}

home/modules/waybar/style.css

@@ -0,0 +1,56 @@
+* {
+  font-family:
+    Iosevka Term SS08,
+    monospace;
+  font-size: 12px;
+  border-radius: 0px;
+}
+
+.modules-left,
+.modules-center,
+.modules-right {
+  margin: 4px;
+  margin-bottom: 0;
+}
+
+window#waybar {
+  background-color: transparent;
+}
+
+window#waybar.hidden {
+  opacity: 0.2;
+}
+
+#workspaces button {
+  padding: 0;
+  background-color: transparent;
+}
+
+#workspaces button:hover {
+  background: #000000;
+}
+
+#workspaces button.focused,
+#workspaces button.active {
+  background-color: #111111;
+}
+
+#workspaces button.urgent {
+  background-color: #eb4d4b;
+}
+
+#clock,
+#battery,
+#pulseaudio,
+#memory,
+#cpu,
+#network {
+  padding: 0 4px;
+  color: #ffffff;
+  background-color: #111111;
+}
+
+#window,
+#workspaces {
+  margin: 0;
+}

hosts/andromache/default.nix

@@ -1,44 +1,53 @@
 {
   lib,
   inputs,
+  outputs,
   config,
   pkgs,
   ...
 }:
-
 let
   username = "h";
+  hostName = "andromache";
+  wolInterfaces = import ./wol-interfaces.nix;
 in
 {
   imports = [
-    ../../modules/common.nix
-    inputs.disko.nixosModules.disko
-    inputs.sops-nix.nixosModules.sops
-    inputs.home-manager.nixosModules.default
+    ../../modules/common
     ./hard.nix
-    ../../modules/bootloader.nix
-    (import ../../modules/disko.zfs-encrypted-root.nix {
+    inputs.sops-nix.nixosModules.sops
+    ../../modules/boot/bootloader.nix
+    (import ../../modules/disko/zfs-encrypted-root.nix {
+      inherit lib config;
       device = "/dev/nvme1n1";
-      inherit lib;
-      inherit config;
     })
-    ../../modules/gnome.nix
-    ../../modules/bluetooth.nix
+    ../../modules/desktops/niri
+    ../../modules/bluetooth
     ../../modules/keyboard
-    (import ../../modules/networking.nix { hostName = "andromache"; })
-    ../../modules/users.nix
-    ../../modules/audio.nix
-    ../../modules/localization.nix
+    (import ../../modules/networking { hostName = hostName; })
+    ../../modules/users
+    ../../modules/audio
+    ../../modules/localization
     ../../modules/fonts
     ../../modules/ssh/hardened-openssh.nix
-    (import ../../modules/secrets {
-      inherit lib;
-      inherit inputs;
-      inherit config;
-    })
-    ../../modules/docker.nix
+    (import ../../modules/secrets { inherit lib inputs config; })
+    ../../modules/docker
   ];
 
+  home-manager.users.${username} = import ../../home/hosts/andromache {
+    inherit
+      inputs
+      config
+      pkgs
+      lib
+      ;
+  };
+
+  networking.hostName = hostName;
+
+  ssh.username = username;
+  ssh.authorizedHosts = [ "astyanax" ];
+
   secrets.username = username;
   docker.user = username;
 
@@ -75,22 +84,9 @@ in
     };
   };
 
-  environment.systemPackages = [ inputs.nvim.packages.x86_64-linux.nvim ];
-
-  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    users.${username} = import ../../home/hosts/andromache {
-      inherit lib;
-      inherit inputs;
-      inherit config;
-      inherit pkgs;
-    };
-  };
-
-  networking = {
-    hostId = "80eef97e";
-  };
+  environment.systemPackages = [
+    inputs.nvim.packages.x86_64-linux.nvim
+  ];
 
   services.xserver = {
     videoDrivers = [ "nvidia" ];
@@ -104,16 +100,18 @@ in
   services.syncthing = {
     enable = true;
     openDefaultPorts = true;
+    settings = {
+      devices = {
+        # "device1" = {
+        #   id = "DEVICE-ID-GOES-HERE";
+        # };
+      };
       folders = {
         "/home/${username}/sync" = {
           id = "sync";
           devices = [ ];
         };
       };
-    devices = {
-      # "device1" = {
-      #   id = "DEVICE-ID-GOES-HERE";
-      # };
     };
   };
 
@@ -123,9 +121,12 @@ in
   };
 
   networking = {
+    # TODO: generate unique hostId on actual host with: head -c 8 /etc/machine-id
+    hostId = "80eef97e";
     interfaces = {
       eno1 = {
         wakeOnLan.enable = true;
+        macAddress = wolInterfaces.eno1.macAddress;
       };
     };
     firewall = {

hosts/andromache/ssh_host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG7TMnKO4EqISk2s/xy+3P2xn8XcMOuzZrSiYTZT+8m2 root@andromache

hosts/andromache/ssh_user.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOOXPEhdKOVnb6mkeLLUcFGt+mnUR5pMie17JtjrxwgO h@andromache

hosts/andromache/wol-interfaces.nix

@@ -0,0 +1,3 @@
+{
+  eno1.macAddress = "02:68:b3:29:da:98";
+}

hosts/astyanax/default.nix

@@ -1,70 +1,98 @@
 {
   lib,
   inputs,
+  outputs,
   config,
   pkgs,
   ...
 }:
-
 let
   username = "h";
   hostName = "astyanax";
+  wolInterfaces = import ../andromache/wol-interfaces.nix;
 in
 {
   imports = [
-    ../../modules/common.nix
-    inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-intel
-    inputs.disko.nixosModules.disko
-    inputs.sops-nix.nixosModules.sops
-    inputs.home-manager.nixosModules.default
+    ../../modules/common
     ./hard.nix
-    ../../modules/bootloader.nix
-    (import ../../modules/disko.zfs-encrypted-root.nix {
-      inherit lib;
-      inherit config;
+    # inputs.nixos-hardware.nixosModules.lenovo-thinkpad-e14-intel
+    inputs.sops-nix.nixosModules.sops
+    ../../modules/boot/bootloader.nix
+    (import ../../modules/disko/zfs-encrypted-root.nix {
+      inherit lib config;
       device = "/dev/nvme0n1";
     })
-    ../../modules/gnome.nix
-    ../../modules/bluetooth.nix
+    ../../modules/desktops/niri
+    ../../modules/bluetooth
     ../../modules/keyboard
-    (import ../../modules/networking.nix { hostName = hostName; })
-    ../../modules/users.nix
-    ../../modules/audio.nix
-    ../../modules/localization.nix
+    (import ../../modules/networking { hostName = hostName; })
+    ../../modules/users
+    ../../modules/audio
+    ../../modules/localization
     ../../modules/fonts
     ../../modules/ssh/hardened-openssh.nix
-    (import ../../modules/secrets {
-      inherit lib;
-      inherit inputs;
-      inherit config;
-      inherit username;
+    ../../modules/vpn/wireguard.nix
+    (import ../../modules/secrets { inherit lib inputs config; })
+    ../../modules/docker
+  ];
+
+  home-manager.users.${username} = import ../../home/hosts/astyanax {
+    inherit
+      inputs
+      config
+      pkgs
+      lib
+      ;
+  };
+
+  networking.hostName = hostName;
+
+  ssh.username = username;
+  ssh.authorizedHosts = [ "andromache" ];
+
+  secrets.username = username;
+  docker.user = username;
+
+  hardware = {
+    cpu.intel.updateMicrocode = true;
+    # https://wiki.nixos.org/wiki/Intel_Graphics
+    graphics = {
+      enable = true;
+      extraPackages = with pkgs; [
+        intel-media-driver
+        vpl-gpu-rt
+      ];
+    };
+  };
+
+  # https://wiki.nixos.org/wiki/Intel_Graphics
+  environment.sessionVariables = {
+    LIBVA_DRIVER_NAME = "iHD";
+  };
+
+  environment.systemPackages = [
+    inputs.nvim.packages.x86_64-linux.nvim
+    (pkgs.writeShellApplication {
+      name = "wol-andromache";
+      runtimeInputs = [ pkgs.wakeonlan ];
+      text = ''
+        wakeonlan ${wolInterfaces.eno1.macAddress}
+      '';
     })
   ];
 
-  secrets.username = username;
-
-  environment.systemPackages = [ inputs.nvim.packages.x86_64-linux.nvim ];
-
-  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    users.${username} = import ../../home/hosts/astyanax {
-      inherit inputs;
-      inherit config;
-      inherit pkgs;
-    };
-  };
-
   networking = {
+    # TODO: generate unique hostId on actual host with: head -c 8 /etc/machine-id
     hostId = "80eef97e";
   };
 
-  services.openssh = {
+  services = {
+    fwupd.enable = true;
+    openssh = {
       enable = true;
       harden = true;
     };
-
-  services.syncthing = {
+    syncthing = {
       enable = true;
       openDefaultPorts = true;
       folders = {
@@ -79,9 +107,9 @@ in
         # };
       };
     };
-
-  services.locate = {
+    locate = {
       enable = true;
       package = pkgs.plocate;
     };
+  };
 }

hosts/astyanax/ssh_host.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO8+UOyZbvQeHfFfYox3SQi42KJ0S3RZj79iswSsZeFy root@nixos

hosts/astyanax/ssh_user.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIzP1PjIDb1tN9nhPOK88HYDtTNk9SN9ZpEem2id49Fa h@astyanax

hosts/hecuba/default.nix

@@ -0,0 +1,70 @@
+{
+  lib,
+  inputs,
+  outputs,
+  config,
+  pkgs,
+  ...
+}:
+
+# Also see <https://wiki.nixos.org/wiki/Install_NixOS_on_Hetzner_Cloud>
+
+let
+  username = "username";
+  hostName = "hecuba";
+in
+{
+  imports = [
+    ../../modules/common
+    ./hard.nix
+    ../../modules/ssh/hardened-openssh.nix
+  ];
+
+  networking.hostName = hostName;
+  ssh.username = username;
+  ssh.authorizedHosts = [ "andromache" ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "ext4";
+  };
+  swapDevices = [
+    {
+      device = "/dev/disk/by-label/swap";
+    }
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/sda";
+
+  users.users = {
+    root.hashedPassword = "!";
+    username = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+    };
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  networking.firewall.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    vim
+    git
+  ];
+
+  services.fail2ban = {
+    enable = true;
+    maxretry = 5;
+  };
+
+  services.openssh = {
+    enable = true;
+    harden = true;
+  };
+}

hosts/hecuba/hard.nix

@@ -0,0 +1,37 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "ahci"
+    "xhci_pci"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/vm/default.nix

@@ -1,39 +1,43 @@
 {
   lib,
   inputs,
+  outputs,
   config,
   pkgs,
   ...
 }:
-
 let
   username = "h";
+  hostName = "vm";
 in
 {
   imports = [
-    ../../modules/common.nix
-    inputs.disko.nixosModules.disko
-    inputs.sops-nix.nixosModules.sops
-    inputs.home-manager.nixosModules.default
+    ../../modules/common
     ./hard.nix
+    inputs.sops-nix.nixosModules.sops
     ./disk.nix
-    ../../modules/bootloader.nix
+    ../../modules/boot/bootloader.nix
     ../../modules/keyboard
-    (import ../../modules/networking.nix { hostName = "vm"; })
-    ../../modules/users.nix
-    ../../modules/audio.nix
-    ../../modules/localization.nix
-    ../../modules/x.nix
+    (import ../../modules/networking { hostName = hostName; })
+    ../../modules/users
+    ../../modules/audio
+    ../../modules/localization
+    ../../modules/x
     ../../modules/fonts
     ../../modules/ssh/hardened-openssh.nix
     (import ../../modules/secrets {
-      inherit lib;
-      inherit inputs;
-      inherit config;
+      inherit lib inputs config;
     })
   ];
 
-  secrets.username = "h";
+  home-manager.users.${username} = import ../../home/hosts/vm {
+    inherit inputs config pkgs;
+  };
+
+  networking.hostName = hostName;
+  ssh.username = username;
+
+  secrets.username = username;
 
   environment.systemPackages = [ inputs.nvim.packages.x86_64-linux.nvim ];
 
@@ -55,16 +59,6 @@ in
     };
   };
 
-  home-manager = {
-    useGlobalPkgs = true;
-    useUserPackages = true;
-    users.${username} = import ../../home/hosts/vm {
-      inherit inputs;
-      inherit config;
-      inherit pkgs;
-    };
-  };
-
   services.qemuGuest.enable = true;
   services.spice-vdagentd.enable = true;
 

modules/audio/default.nix

@@ -9,4 +9,5 @@
     alsa.support32Bit = true;
     pulse.enable = true;
   };
+  services.pulseaudio.extraConfig = "load-module module-switch-on-connect";
 }

modules/bluetooth.nix

@@ -1,3 +0,0 @@
-{
-  hardware.bluetooth.enable = true;
-}

modules/bluetooth/default.nix

@@ -0,0 +1,15 @@
+{
+  hardware.bluetooth = {
+    enable = true;
+    powerOnBoot = true;
+    settings = {
+      General = {
+        Experimental = true;
+        FastConnectable = true;
+      };
+      Policy = {
+        AutoEnable = true;
+      };
+    };
+  };
+}

modules/common.nix

@@ -1,10 +0,0 @@
-{
-  system.stateVersion = "25.05";
-
-  nix.settings.experimental-features = [
-    "nix-command"
-    "flakes"
-  ];
-
-  nixpkgs.config.allowUnfree = true;
-}

modules/common/default.nix

@@ -0,0 +1,50 @@
+{ inputs, outputs, ... }:
+
+{
+  imports = [
+    inputs.disko.nixosModules.disko
+    inputs.home-manager.nixosModules.default
+  ];
+
+  system.stateVersion = "25.05";
+
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
+  nixpkgs.config.allowUnfree = true;
+
+  home-manager = {
+    useGlobalPkgs = true;
+    useUserPackages = true;
+    extraSpecialArgs = {
+      inherit inputs outputs;
+    };
+  };
+
+  nix.optimise = {
+    automatic = true;
+    dates = [ "05:00" ];
+  };
+
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 30d";
+  };
+
+  system.autoUpgrade = {
+    enable = true;
+    flake = inputs.self.outPath;
+    operation = "switch";
+    flags = [
+      "--recreate-lock-file"
+      "--commit-lock-file"
+      "--print-build-logs"
+    ];
+    dates = "05:00";
+    randomizedDelaySec = "45min";
+    allowReboot = false;
+  };
+}

modules/desktops/niri/default.nix

@@ -0,0 +1,14 @@
+{ pkgs, ... }:
+
+{
+  programs.niri.enable = true;
+
+  services.dbus.enable = true;
+  services.logind.settings.Login = {
+    HandleLidSwitch = "suspend";
+  };
+
+  services.displayManager.ly = {
+    enable = true;
+  };
+}

modules/fonts/default.nix

@@ -1,5 +1,16 @@
+{ pkgs, ... }:
+
 {
   imports = [
     ./iosevka.nix
   ];
+
+  fonts = {
+    # disable default font packages (see https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/config/fonts/packages.nix)
+    enableDefaultPackages = false;
+    packages = with pkgs; [
+      dejavu_fonts
+      liberation_ttf
+    ];
+  };
 }

modules/fonts/iosevka.nix

@@ -1,7 +1,14 @@
 { pkgs, ... }:
 
 {
-  fonts.packages = with pkgs; [
+  fonts = {
+    packages = with pkgs; [
       (iosevka-bin.override { variant = "SGr-IosevkaTermSS08"; })
     ];
+    fontconfig = {
+      defaultFonts = {
+        monospace = [ "Iosevka Term SS08" ];
+      };
+    };
+  };
 }

modules/k3s/default.nix

@@ -0,0 +1,79 @@
+{ pkgs, ... }:
+
+{
+  # TODO: see if this works with podman
+  # TODO: check if docker/podman is enabled
+
+  # Rootless K3S
+
+  # FIXME
+  environment.systemPackages = with pkgs; [
+    k3s
+    rootlesskit
+    slirp4netns
+  ];
+
+  # running K3S on rootless docker was causing the following error: "failed to find cpuset cgroup (v2)" (in `docker logs k3d-lab-server-0` output)
+  #
+  # see <https://docs.k3s.io/advanced#known-issues-with-rootless-mode>
+  # see <https://rootlesscontaine.rs/getting-started/common/cgroup2/>
+  # see <https://discourse.nixos.org/t/declarative-rootless-k3s/49839>
+  systemd.services."user@".serviceConfig.Delegate = "cpu cpuset io memory pids";
+
+  # taken from <https://github.com/k3s-io/k3s/blob/main/k3s-rootless.service> as described in <https://docs.k3s.io/advanced#known-issues-with-rootless-mode#Rootless>
+  systemd.user.services."k3s-rootless" = with pkgs; {
+    path = with pkgs; [
+      "${rootlesskit}"
+      "${slirp4netns}"
+      "${fuse-overlayfs}"
+      "${fuse3}"
+      "/run/wrappers"
+    ];
+    # systemd unit file for k3s (rootless)
+    #
+    # Usage:
+    # - [Optional] Enable cgroup v2 delegation, see https://rootlesscontaine.rs/getting-started/common/cgroup2/ .
+    #   This step is optional, but highly recommended for enabling CPU and memory resource limtitation.
+    #
+    # - Copy this file as `~/.config/systemd/user/k3s-rootless.service`.
+    #   Installing this file as a system-wide service (`/etc/systemd/...`) is not supported.
+    #   Depending on the path of `k3s` binary, you might need to modify the `ExecStart=/usr/local/bin/k3s ...` line of this file.
+    #
+    # - Run `systemctl --user daemon-reload`
+    #
+    # - Run `systemctl --user enable --now k3s-rootless`
+    #
+    # - Run `KUBECONFIG=~/.kube/k3s.yaml kubectl get pods -A`, and make sure the pods are running.
+    #
+    # Troubleshooting:
+    # - See `systemctl --user status k3s-rootless` to check the daemon status
+    # - See `journalctl --user -f -u k3s-rootless` to see the daemon log
+    # - See also https://rootlesscontaine.rs/
+    enable = true;
+    description = "k3s (Rootless)";
+    serviceConfig = {
+      # NOTE: Don't try to run `k3s server --rootless` on a terminal, as it doesn't enable cgroup v2 delegation.
+      # If you really need to try it on a terminal, prepend `systemd-run --user -p Delegate=yes --tty` to create a systemd scope.
+      ExecStart = "${k3s}/bin/k3s server --rootless --snapshotter=fuse-overlayfs";
+      ExecReload = "/run/current-system/sw/bin/kill -s HUP $MAINPID";
+      TimeoutSec = 0;
+      RestartSec = 2;
+      Restart = "always";
+      StartLimitBurst = 3;
+      StartLimitInterval = "60s";
+      LimitNOFILE = "infinity";
+      LimitNPROC = "infinity";
+      LimitCORE = "infinity";
+      TasksMax = "infinity";
+      Delegate = "yes";
+      Type = "simple";
+      KillMode = "mixed";
+    };
+
+    wantedBy = [ "default.target" ];
+  };
+
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+  };
+}

modules/secrets/default.nix

@@ -16,7 +16,6 @@ in
   };
   config = {
     sops = {
-      validateSopsFiles = false;
       defaultSopsFile = "${builtins.toString inputs.nix-secrets}/secrets.yaml";
       defaultSopsFormat = "yaml";
       age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt";
@@ -27,6 +26,9 @@ in
         "taskwarrior_sync_encryption_secret".owner = config.users.users.${cfg.username}.name;
         "email_personal".owner = config.users.users.${cfg.username}.name;
         "email_work".owner = config.users.users.${cfg.username}.name;
+        "anki_sync_user".owner = config.users.users.${cfg.username}.name;
+        "anki_sync_key".owner = config.users.users.${cfg.username}.name;
+        "hcloud".owner = config.users.users.${cfg.username}.name;
       };
 
       templates."taskrc.d/sync" = {
@@ -55,6 +57,18 @@ in
             email = ${config.sops.placeholder."email_work"}
         '';
       };
+
+      templates."hcloud/cli.toml" = {
+        owner = config.users.users.${cfg.username}.name;
+        path = "/home/${cfg.username}/.config/hcloud/cli.toml";
+        content = ''
+          active_context = "server"
+
+          [[contexts]]
+            name = "server"
+            token = "${config.sops.placeholder."hcloud"}"
+        '';
+      };
     };
   };
 }

modules/ssh/authorized-keys.nix

@@ -0,0 +1,24 @@
+{ lib, config, ... }:
+{
+  options.ssh = {
+    authorizedHosts = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+    };
+    username = lib.mkOption {
+      type = lib.types.str;
+      default = "h";
+    };
+  };
+
+  # auto generate authorized_keys from `authorizedHosts`
+  config.users.users.${config.ssh.username}.openssh.authorizedKeys.keys = lib.flatten (
+    map (
+      hostname:
+      let
+        keyFile = ../../hosts/${hostname}/ssh_user.pub;
+      in
+      lib.optionals (builtins.pathExists keyFile) (lib.splitString "\n" (builtins.readFile keyFile))
+    ) config.ssh.authorizedHosts
+  );
+}

modules/ssh/extract-keys.nix

@@ -0,0 +1,24 @@
+{ lib, config, ... }:
+let
+  username = config.ssh.username;
+in
+{
+  # auto extract SSH keys
+  system.activationScripts.extractSshKeys = lib.stringAfter [ "etc" ] ''
+    HOST_KEY="/etc/ssh/ssh_host_ed25519_key.pub"
+    HOST_DIR="/home/${username}/nix/hosts/${config.networking.hostName}"
+
+    if [ -f "$HOST_KEY" ] && [ -d "$HOST_DIR" ]; then
+      cp "$HOST_KEY" "$HOST_DIR/ssh_host.pub"
+      chown ${username}:users "$HOST_DIR/ssh_host.pub"
+      chmod 644 "$HOST_DIR/ssh_host.pub"
+    fi
+
+    USER_KEY="/home/${username}/.ssh/id_ed25519.pub"
+    if [ -f "$USER_KEY" ] && [ -d "$HOST_DIR" ]; then
+      cp "$USER_KEY" "$HOST_DIR/ssh_user.pub"
+      chown ${username}:users "$HOST_DIR/ssh_user.pub"
+      chmod 644 "$HOST_DIR/ssh_user.pub"
+    fi
+  '';
+}

modules/ssh/hardened-openssh.nix

@@ -4,12 +4,21 @@ let
   cfg = config.services.openssh;
 in
 {
+  imports = [
+    ./known-hosts.nix
+    ./authorized-keys.nix
+    ./extract-keys.nix
+  ];
+
   options.services.openssh.harden = mkEnableOption "harden ssh server configuration";
+
   config = {
     networking.firewall.allowedTCPPorts = [ 22 ];
+
     services.openssh.settings = optionalAttrs cfg.harden {
       PermitRootLogin = "no";
       PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
       ChallengeResponseAuthentication = false;
       X11Forwarding = false;
       AllowAgentForwarding = false;

modules/ssh/known-hosts.nix

@@ -0,0 +1,19 @@
+{
+  lib,
+  config,
+  outputs,
+  ...
+}:
+let
+  hosts = lib.attrNames outputs.nixosConfigurations;
+  hostsWithKeys = lib.filter (
+    hostname: builtins.pathExists ../../hosts/${hostname}/ssh_host.pub
+  ) hosts;
+in
+{
+  # auto generate known_hosts for all hosts in flake
+  programs.ssh.knownHosts = lib.genAttrs hostsWithKeys (hostname: {
+    publicKeyFile = ../../hosts/${hostname}/ssh_host.pub;
+    extraHostNames = lib.optional (hostname == config.networking.hostName) "localhost";
+  });
+}

modules/x/default.nix

@@ -4,7 +4,7 @@
   services.xserver.windowManager.xmonad = {
     enable = true;
     enableContribAndExtras = true;
-    config = builtins.readFile ../dots/.xmonad/xmonad.hs;
+    config = builtins.readFile ../../dots/.xmonad/xmonad.hs;
   };
 
   services.xserver = {