fix: remove task count limits

.envrc

@@ -1 +0,0 @@
-use flake

.gitignore

@@ -9,5 +9,4 @@ result-*
 
 nixos-efi-vars.fd
 
-.direnv/
-.pre-commit-config.yaml
+/.pre-commit-config.yaml

deploy/colmena.nix

@@ -8,20 +8,28 @@ let
   utils = import ../utils { inherit lib; };
   hostDirNames = utils.dirNames ../hosts;
 
-  mkNode = hostname: meta: {
+  mkNode = hostname: tags: {
     imports = [ ../hosts/${hostname} ];
     deployment = {
-      inherit (meta.deployment) targetHost targetUser tags;
-      buildOnTarget = builtins.any (t: t != "local" && t != "arm") meta.deployment.tags;
+      targetHost = self.nixosConfigurations.${hostname}.config.ssh.publicHostname;
+      targetUser = self.nixosConfigurations.${hostname}.config.ssh.username;
+      buildOnTarget = builtins.any (t: t != "local" && t != "arm") tags;
+      inherit tags;
     };
   };
 
-  nodes = lib.genAttrs hostDirNames (hostname: mkNode hostname (utils.hostMeta ../hosts/${hostname}));
+  nodes = lib.genAttrs hostDirNames (
+    hostname: mkNode hostname (utils.hostMeta ../hosts/${hostname}).deployment.tags
+  );
 in
 inputs.colmena.lib.makeHive (
   {
     meta = {
-      nixpkgs = import inputs.nixpkgs { localSystem = "x86_64-linux"; };
+      nixpkgs = import inputs.nixpkgs {
+        localSystem = "x86_64-linux";
+      };
+
+      nodeNixpkgs = builtins.mapAttrs (_: v: v.pkgs) self.nixosConfigurations;
       specialArgs = {
         inherit inputs;
         outputs = self;

dots/.bin/save-zk

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+cd "$ZK_PATH" || echo "No zettelkasten directory found"
+git a . && git commit -m "Update" && git push

dots/.bin/setup-zk

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+if [ ! -d ~/.zk ]; then
+    echo "[zk] Setting up zettelkasten"
+    gh repo clone zk ~/.zk
+else
+    echo "[zk] Zettelkasten already set up."
+fi
+
+read -p "Would you like open your zettelkasten? [y/N] " -n 1 -r
+echo
+
+if [[ $REPLY =~ ^[Yy]$ ]]; then
+  if [ -x "$(command -v zk)" ]; then
+    zk
+  else
+    echo "Error: 'zk' command not found or not executable"
+    exit 1
+  fi
+fi

dots/.bin/zk

@@ -1,6 +1,8 @@
-current_zettel_path="$(cat "$ZK_PATH/current-zettel.txt")"
+#!/usr/bin/env bash
 
-if [ -n "${TMUX:-}" ]; then
+current_zettel_path="$ZK_PATH/$(cat "$ZK_PATH/current-zettel.txt")"
+
+if [ "$TERM_PROGRAM" = tmux ]; then
   cd "$ZK_PATH" && $EDITOR "$current_zettel_path"
 else
   echo 'Not in tmux'
@@ -10,9 +12,13 @@ else
   read -r -p 'Enter your choice: ' choice
   case $choice in
     1)
-      if tmux has-session -t zk 2>/dev/null; then
-        tmux attach -t zk
+      # Check if a tmux session is running with a window named zk
+      if tmux list-windows -F '#{window_name}' | grep -q zk; then
+        # Attach to the session containing the 'zk' window
+        session="$(tmux list-windows -F '#{window_name} #{session_name}' | grep zk | head -n 1 | awk '{ print $2 }')"
+        tmux attach -t "$session"
       else
+        # Create session with a window named 'zk' and start nvim
         tmux new-session -s zk -n zk -d
         tmux send-keys -t zk:zk "cd $ZK_PATH && $EDITOR $current_zettel_path" Enter
         tmux attach -t zk

dots/.config/nvim/after/plugin/hydra.lua

@@ -1,35 +0,0 @@
-local hydra_repl = "hydra-repl"
-
-if not vim.fn.executable(hydra_repl) then
-  return
-end
-
-local function send(lines)
-  vim.system({ hydra_repl, table.concat(lines, "\n") })
-end
-
-local function get_paragraph(buf)
-  local start_ = vim.fn.search("^$", "bnW")
-  local end_ = vim.fn.search("^$", "nW") - 1
-  if end_ < vim.api.nvim_win_get_cursor(0)[1] then
-    end_ = vim.api.nvim_buf_line_count(buf)
-  end
-  return vim.api.nvim_buf_get_lines(buf, start_, end_, false)
-end
-
-local function get_selection(buf)
-  return vim.api.nvim_buf_get_lines(buf, vim.fn.line("'<") - 1, vim.fn.line("'>"), false)
-end
-
-vim.api.nvim_create_autocmd("FileType", {
-  pattern = "javascript",
-  callback = function(e)
-    if vim.fn.fnamemodify(vim.api.nvim_buf_get_name(e.buf), ":e") ~= "hydra" then
-      return
-    end
-
-    local buf = e.buf
-    vim.keymap.set("n", "<CR>", function() send(get_paragraph(buf)) end, { buffer = buf, desc = "hydra: send block" })
-    vim.keymap.set("v", "<CR>", function() send(get_selection(buf)) end, { buffer = buf, desc = "hydra: send selection" })
-  end,
-})

dots/.config/nvim/after/plugin/wiki.vim.lua

@@ -1,8 +1,6 @@
-require("zk.utils")
-
 vim.cmd([[
 " Change local buffer to directory of current file after the plugin has loaded
-execute 'autocmd BufEnter' g:zk_path . '/*.md' 'silent lcd %:p:h'
+autocmd VimEnter * lcd %:p:h
 
 " " Override wiki index mapping to also cd into the wiki
 nm <leader>ww <plug>(wiki-index)
@@ -13,16 +11,11 @@ nm <leader>ww <plug>(wiki-index)
 " nm <leader>s <plug>(wiki-link-follow-split)
 " nm <leader>v <plug>(wiki-link-follow-vsplit)
 
-function! ZKContextualEcho()
-  let l:name = expand('%:t')
-  if l:name =~ '_' | echo 'hierarchical relation'
-  elseif l:name =~ '--' | echo 'relation'
-  elseif l:name =~ '<>' | echo 'dichotomy'
-  elseif l:name =~ 'my-' | echo 'personal file'
-  elseif l:name =~ 'project_' | echo 'project file'
-  endif
-endfunction
-execute 'autocmd BufEnter' g:zk_path . '/*.md' 'call ZKContextualEcho()'
+autocmd BufEnter *.md if expand('%:t') =~ '_' | echo 'hierarchical relation' | endif
+autocmd BufEnter *.md if expand('%:t') =~ '--' | echo 'relation' | endif
+autocmd BufEnter *.md if expand('%:t') =~ '<>' | echo 'dichotomy' | endif
+autocmd BufEnter *.md if expand('%:t') =~ 'my-' | echo 'personal file' | endif
+autocmd BufEnter *.md if expand('%:t') =~ 'project_' | echo 'project file' | endif
 
 " Only load wiki.vim for zk directory
 let g:wiki_index_name='index'
@@ -83,7 +76,7 @@ let g:wiki_templates = [
 "
 
 let g:wiki_filetypes=['md']
-let g:wiki_root=g:zk_path
+let g:wiki_root='~/.zk'
 let g:wiki_global_load=0
 let g:wiki_link_creation = {
       \ 'md': {

dots/.config/nvim/flake.lock

@@ -42,11 +42,11 @@
     },
     "nixCats": {
       "locked": {
-        "lastModified": 1777273601,
-        "narHash": "sha256-xBUa8Tl9V7IXI+VmLEuDc81La/EhoSn1C3EVSnJ3cfU=",
+        "lastModified": 1774835836,
+        "narHash": "sha256-6ok7iv/9R82vl6MYe3Lwyyb6S5bmW2PxEZtmjzlqyPs=",
         "owner": "BirdeeHub",
         "repo": "nixCats-nvim",
-        "rev": "f69ea013e328841a7def7037ed59788a76be8816",
+        "rev": "ebb9f279a55ca60ff4e37e4accf6518dc627aa8d",
         "type": "github"
       },
       "original": {
@@ -73,11 +73,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1777270315,
-        "narHash": "sha256-yKB4G6cKsQsWN7M6rZGk6gkJPDNPIzT05y4qzRyCDlI=",
+        "lastModified": 1775608838,
+        "narHash": "sha256-2ySoGH+SAi34U0PeuQgABC0WiH9LQ3tkyHTiE93KUeg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "6368eda62c9775c38ef7f714b2555a741c20c72d",
+        "rev": "9a01fad67a57e44e1b3e1d905c6881bcfb209e8a",
         "type": "github"
       },
       "original": {

dots/.config/nvim/flake.nix

@@ -45,38 +45,13 @@
       inherit (nixCats) utils;
       luaPath = ./.;
       forEachSystem = utils.eachSystem nixpkgs.lib.platforms.all;
-      extra_pkg_config = {
-        allowUnfreePredicate =
-          pkg:
-          builtins.elem (nixpkgs.lib.getName pkg) [
-            "vim-sandwich"
-            "jupytext.nvim"
-            "eyeliner.nvim"
-            "context_filetype.vim"
-            "editorconfig-vim"
-            "unicode.vim"
-            "quarto-nvim"
-            "vim-openscad"
-            "lsp_lines.nvim"
-            "nvim-highlight-colors"
-            "nvim-lint"
-          ];
-      };
+      extra_pkg_config = { };
 
       mkDependencyOverlays = system: [
         (utils.standardPluginOverlay inputs)
         (_final: _prev: {
           mcp-hub = inputs.mcp-hub.packages.${system}.default;
         })
-        (_: prev: {
-          luajitPackages = prev.luajitPackages.overrideScope (
-            _: lprev: {
-              neotest = lprev.neotest.overrideAttrs (_: {
-                doCheck = false;
-              });
-            }
-          );
-        })
       ];
 
       categoryDefinitions =
@@ -87,11 +62,9 @@
         {
           lspsAndRuntimeDeps = with pkgs; {
             general = [
-              nodejs_24
               black
               clang
               clang-tools
-              curl # → plenary-nvim, mcp-hub
               delta
               emmet-language-server
               eslint_d
@@ -105,8 +78,6 @@
               mcp-hub
               nixd
               nixfmt
-              prettier
-              typescript-language-server
               ormolu
               prettierd
               rust-analyzer
@@ -115,7 +86,6 @@
               stylelint
               stylua
               tree-sitter
-              tailwindcss-language-server
               typescript-language-server
               vscode-langservers-extracted
               vtsls

dots/.config/nvim/lua/ftdetect.lua

@@ -9,6 +9,5 @@ vim.filetype.add({
     ["%.env.*"] = "dotenv",
     ["%.pl$"] = "prolog",
     [".*.containerfile.*"] = "dockerfile",
-    ["%.hydra$"] = "javascript",
   },
 })

dots/.config/nvim/lua/zk/cmp.lua

@@ -13,19 +13,13 @@ local function get_markdown_files(base)
   return items
 end
 
-function source:get_keyword_pattern()
-  return "[%w%./%-]*"
-end
-
 function source:complete(params, callback)
   local cursor_before_line = params.context.cursor_before_line
   local cursor_after_line = params.context.cursor_after_line or ""
 
-  if not cursor_before_line:match("%[[^%]]*%]%(") then
-    callback({})
-    return
-  end
+  local trigger = cursor_before_line:match("%[[^%]]*%]%(([^)]*)$")
 
+  if trigger ~= nil then
     local items = get_markdown_files(".")
     local next_char = cursor_after_line:sub(1, 1)
 
@@ -38,6 +32,9 @@ function source:complete(params, callback)
     end
 
     callback(items)
+  else
+    callback({})
+  end
 end
 
 function source:get_trigger_characters()

dots/.config/nvim/lua/zk/init.lua

@@ -1,10 +1,9 @@
 require("zk.cmp")
-require("zk.utils")
 
 vim.cmd([[
 let s:zk_preview_enabled = 0
 let s:live_server_job = -1
-execute 'au BufEnter' g:zk_path . '/*.md' 'silent exe "!echo %" ">" g:zk_path . "/current-zettel.txt"'
+au BufEnter /home/h/.zk/*.md silent exe '!echo "%" > /home/h/.zk/current-zettel.txt'
 function! ToggleZKPreview()
     if s:zk_preview_enabled == 1
         let s:zk_preview_enabled = 0
@@ -12,10 +11,10 @@ function! ToggleZKPreview()
         au! ZKPreview
     else
         let s:zk_preview_enabled = 1
-        let s:live_server_job = jobstart('live-server --watch=' . g:zk_path . '/current-zettel-content.html --open=current-zettel-content.html --port=8080')
+        let s:live_server_job = jobstart('live-server --watch=/home/h/.zk/current-zettel-content.html --open=current-zettel-content.html --port=8080')
         augroup ZKPreview
-          execute 'au BufEnter' g:zk_path . '/*.md' 'silent exe "!cat %:r.html" ">" g:zk_path . "/current-zettel-content.html"'
-          execute 'au BufWritePost' g:zk_path . '/*.md' 'silent exe "!make && cat %:r.html" ">" g:zk_path . "/current-zettel-content.html"'
+          au BufEnter /home/h/.zk/*.md silent exe '!cat "%:r.html" > /home/h/.zk/current-zettel-content.html'
+          au BufWritePost /home/h/.zk/*.md silent exe '!make && cat "%:r.html" > /home/h/.zk/current-zettel-content.html'
         augroup END
     endif
 endfunction

dots/.config/nvim/lua/zk/utils.lua

@@ -1,2 +0,0 @@
-vim.g.zk_path = os.getenv("ZK_PATH") or (os.getenv("HOME") .. "/.zk")
-return vim.g.zk_path

dots/.config/tmux/hooks/tmux.ssh.conf

@@ -0,0 +1 @@
+set -g status-style bg=colour12,fg=colour0

dots/.config/tmux/tmux.conf

@@ -70,6 +70,8 @@ set -g status-right '#(uptime | cut -f 4-5 -d " " | cut -f 1 -d ",") %a %l:%M:%S
 
 set -g default-terminal "tmux-256color"
 
+set-hook -g after-new-session 'if -F "#{==:#{session_name},ssh}" "source ${XDG_CONFIG_HOME}/tmux/hooks/tmux.ssh.conf" "source ${XDG_CONFIG_HOME}/tmux/hooks/tmux.regular.conf"'
+
 # Vi copypaste mode
 if-shell "test '\( #{$TMUX_VERSION_MAJOR} -eq 2 -a #{$TMUX_VERSION_MINOR} -ge 4 \)'" 'bind-key -Tcopy-mode-vi v send -X begin-selection; bind-key -Tcopy-mode-vi y send -X copy-selection-and-cancel'
 if-shell '\( #{$TMUX_VERSION_MAJOR} -eq 2 -a #{$TMUX_VERSION_MINOR} -lt 4\) -o #{$TMUX_VERSION_MAJOR} -le 1' 'bind-key -t vi-copy v begin-selection; bind-key -t vi-copy y copy-selection'

flake.lock

@@ -38,11 +38,11 @@
     "base16-helix": {
       "flake": false,
       "locked": {
-        "lastModified": 1776754714,
-        "narHash": "sha256-E3OAK27smtATTmX45uoTSRsVD+Y+ZiVVfgM/tjpbtYg=",
+        "lastModified": 1760703920,
+        "narHash": "sha256-m82fGUYns4uHd+ZTdoLX2vlHikzwzdu2s2rYM2bNwzw=",
         "owner": "tinted-theming",
         "repo": "base16-helix",
-        "rev": "4d508123037e7851ad36ebf7d9c48b0e9e1eb581",
+        "rev": "d646af9b7d14bff08824538164af99d0c521b185",
         "type": "github"
       },
       "original": {
@@ -121,11 +121,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1778040175,
-        "narHash": "sha256-SSXJp3BMjO2LrW/VLjNdGGcjd3RFEyV4FemYA6OGrYw=",
+        "lastModified": 1776398575,
+        "narHash": "sha256-WArU6WOdWxzbzGqYk4w1Mucg+bw/SCl6MoSp+/cZMio=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "3bd76b0f41e65661866bddcac57ebe83aeadb581",
+        "rev": "05815686caf4e3678f5aeb5fd36e567886ab0d30",
         "type": "gitlab"
       },
       "original": {
@@ -138,11 +138,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1776136500,
-        "narHash": "sha256-r0gN2brVWA351zwMV0Flmlcd6SGMvYqFbvC3DfKFM8Y=",
+        "lastModified": 1775176642,
+        "narHash": "sha256-2veEED0Fg7Fsh81tvVDNYR6SzjqQxa7hbi18Jv4LWpM=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "0f8ba203d475587f477e7ae12661bd8459e225b7",
+        "rev": "179704030c5286c729b5b0522037d1d51341022c",
         "type": "github"
       },
       "original": {
@@ -284,11 +284,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1776796298,
-        "narHash": "sha256-PcRvlWayisPSjd0UcRQbhG8Oqw78AcPE6x872cPRHN8=",
+        "lastModified": 1775585728,
+        "narHash": "sha256-8Psjt+TWvE4thRKktJsXfR6PA/fWWsZ04DVaY6PUhr4=",
         "owner": "cachix",
         "repo": "git-hooks.nix",
-        "rev": "3cfd774b0a530725a077e17354fbdb87ea1c4aad",
+        "rev": "580633fa3fe5fc0379905986543fd7495481913d",
         "type": "github"
       },
       "original": {
@@ -342,11 +342,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1778009629,
-        "narHash": "sha256-nUoQtf4Zq7DRYJrfv904hjrxjAlWVP6a1pNNFKx3FCg=",
+        "lastModified": 1776373306,
+        "narHash": "sha256-iAJIzHngGZeLIkjzuuWI6VBsYJ1n89a/Esq0m8R1vjs=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "00ed86e58bb6979a7921859fd1615d19382eac5c",
+        "rev": "d401492e2acd4fea42f7705a3c266cea739c9c36",
         "type": "github"
       },
       "original": {
@@ -398,10 +398,10 @@
     "nix-secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1776723456,
-        "narHash": "sha256-GBbbm05oXYqSZ2EgxQPsNpTKl16wNhvrlUxdmv0FbSU=",
+        "lastModified": 1776422417,
+        "narHash": "sha256-9R4MePj/UT0tqkWEq4Afg7Lp/zdfYHkW+qmpVGchKIs=",
         "ref": "main",
-        "rev": "135b681d24af6ee4508bbf7c657982d7be8743d4",
+        "rev": "75759a14e8d46421fca4306393a38b5ad5240f09",
         "shallow": true,
         "type": "git",
         "url": "ssh://git@github.com/hektor/nix-secrets"
@@ -415,11 +415,11 @@
     },
     "nixCats": {
       "locked": {
-        "lastModified": 1777273601,
-        "narHash": "sha256-xBUa8Tl9V7IXI+VmLEuDc81La/EhoSn1C3EVSnJ3cfU=",
+        "lastModified": 1774835836,
+        "narHash": "sha256-6ok7iv/9R82vl6MYe3Lwyyb6S5bmW2PxEZtmjzlqyPs=",
         "owner": "BirdeeHub",
         "repo": "nixCats-nvim",
-        "rev": "f69ea013e328841a7def7037ed59788a76be8816",
+        "rev": "ebb9f279a55ca60ff4e37e4accf6518dc627aa8d",
         "type": "github"
       },
       "original": {
@@ -451,11 +451,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1777917524,
-        "narHash": "sha256-k+LVe9YaO2BEPB9AaCtTtOMCeGi4dxDo6gt4Un3qoPY=",
+        "lastModified": 1775490113,
+        "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "df7783100babf59001340a7a874ba3824e441ecb",
+        "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
         "type": "github"
       },
       "original": {
@@ -467,11 +467,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1777954456,
-        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
+        "lastModified": 1776169885,
+        "narHash": "sha256-l/iNYDZ4bGOAFQY2q8y5OAfBBtrDAaPuRQqWaFHVRXM=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
+        "rev": "4bd9165a9165d7b5e33ae57f3eecbcb28fb231c9",
         "type": "github"
       },
       "original": {
@@ -509,11 +509,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777598946,
-        "narHash": "sha256-X239dAGaU1+gfDj8jKH8GzlqKMcxaVfXOio+uzBOkeE=",
+        "lastModified": 1775228139,
+        "narHash": "sha256-ebbeHmg+V7w8050bwQOuhmQHoLOEOfqKzM1KgCTexK4=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "5d55af01c0f86be583931fe99207fc56c14134b3",
+        "rev": "601971b9c89e0304561977f2c28fa25e73aa7132",
         "type": "github"
       },
       "original": {
@@ -665,11 +665,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777944972,
-        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
+        "lastModified": 1776119890,
+        "narHash": "sha256-Zm6bxLNnEOYuS/SzrAGsYuXSwk3cbkRQZY0fJnk8a5M=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
+        "rev": "d4971dd58c6627bfee52a1ad4237637c0a2fb0cd",
         "type": "github"
       },
       "original": {
@@ -714,11 +714,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1777835090,
-        "narHash": "sha256-VLH8zPweblCOvpnQXp4fVs7f6Q79YhXF5XFKlOrvIFk=",
+        "lastModified": 1776170745,
+        "narHash": "sha256-Tl1aZVP5EIlT+k0+iAKH018GLHJpLz3hhJ0LNQOWxCc=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "7989a1054b01153212dede6005abfd1576b8328c",
+        "rev": "e3861617645a43c9bbefde1aa6ac54dd0a44bfa9",
         "type": "github"
       },
       "original": {
@@ -776,11 +776,11 @@
     "tinted-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1777041405,
-        "narHash": "sha256-BAGZ7ObFV/9Z61OJZun7ifPyhkuHqNuW1QIhQ8LuzCo=",
+        "lastModified": 1772661346,
+        "narHash": "sha256-4eu3LqB9tPqe0Vaqxd4wkZiBbthLbpb7llcoE/p5HT0=",
         "owner": "tinted-theming",
         "repo": "schemes",
-        "rev": "5f868b3a338b6904c47f3833b9c411be641983a8",
+        "rev": "13b5b0c299982bb361039601e2d72587d6846294",
         "type": "github"
       },
       "original": {
@@ -792,11 +792,11 @@
     "tinted-tmux": {
       "flake": false,
       "locked": {
-        "lastModified": 1777169200,
-        "narHash": "sha256-h7dDbIzP5hDr9v97w9PL6jdAgXawmj6krcH+959rqpU=",
+        "lastModified": 1772934010,
+        "narHash": "sha256-x+6+4UvaG+RBRQ6UaX+o6DjEg28u4eqhVRM9kpgJGjQ=",
         "owner": "tinted-theming",
         "repo": "tinted-tmux",
-        "rev": "f798c2dce44ef815bb6b8f05a82135c7942d35ac",
+        "rev": "c3529673a5ab6e1b6830f618c45d9ce1bcdd829d",
         "type": "github"
       },
       "original": {
@@ -808,11 +808,11 @@
     "tinted-zed": {
       "flake": false,
       "locked": {
-        "lastModified": 1777463218,
-        "narHash": "sha256-Bhkozqtq3BKLqWTlmKm8uAptfX4aRGI8QX3eEL54Vpc=",
+        "lastModified": 1772909925,
+        "narHash": "sha256-jx/5+pgYR0noHa3hk2esin18VMbnPSvWPL5bBjfTIAU=",
         "owner": "tinted-theming",
         "repo": "base16-zed",
-        "rev": "5768d08ed2e7944a26a958868cdb073cb8856dae",
+        "rev": "b4d3a1b3bcbd090937ef609a0a3b37237af974df",
         "type": "github"
       },
       "original": {

flake.nix

@@ -76,10 +76,7 @@
           nixpkgs.lib.nixosSystem {
             modules = [
               ./hosts/${host}
-              {
-                nixpkgs.hostPlatform = (myUtils.hostMeta ./hosts/${host}).system;
-                host.name = host;
-              }
+              { nixpkgs.hostPlatform = import ./hosts/${host}/system.nix; }
             ];
             specialArgs = {
               inherit

home/hosts/andromache/default.nix

@@ -25,12 +25,10 @@
     ../../modules/nvim
     ../../modules/pandoc
     ../../modules/photography
-    ../../modules/secrets
     ../../modules/shell
     ../../modules/ssh
     ../../modules/taskwarrior
     ../../modules/terminal
-    ../../modules/zk
     ../../modules/torrenting
   ];
 
@@ -47,10 +45,7 @@
     printing.enable = true;
     modeling.enable = true;
   };
-  ai-tools = {
-    claude-code.enable = true;
-    opencode.enable = true;
-  };
+  ai-tools.opencode.enable = true;
   browser.primary = "librewolf";
   cloud.hetzner.enable = true;
   comms.signal.enable = true;
@@ -58,7 +53,6 @@
   shell.bash.aliases.lang-js = true;
   shell.bash.addBinToPath = true;
   torrenting.enable = true;
-  zk.enable = true;
 
   programs = {
     home-manager.enable = true;

home/hosts/astyanax/default.nix

@@ -43,10 +43,7 @@
   };
 
   modules."3d".printing.enable = true;
-  ai-tools = {
-    claude-code.enable = true;
-    opencode.enable = true;
-  };
+  ai-tools.opencode.enable = true;
   browser.primary = "librewolf";
   cloud.hetzner.enable = true;
   comms.signal.enable = true;

home/hosts/work/default.nix

@@ -5,6 +5,9 @@
   ...
 }:
 
+let
+  username = "hektor";
+in
 {
   imports = [
     inputs.sops-nix.homeManagerModules.sops
@@ -54,8 +57,8 @@
 
   home = {
     stateVersion = "25.05";
-    username = "hektor";
-    homeDirectory = "/home/${config.home.username}";
+    inherit username;
+    homeDirectory = "/home/${username}";
   };
 
   targets.genericLinux.nixGL = {
@@ -73,11 +76,8 @@
     tirith.enable = true;
     opencode.enable = true;
   };
-  database = {
-    mssql.enable = true;
-    postgresql.enable = true;
-    redis.enable = true;
-  };
+  database.mssql.enable = true;
+  database.postgresql.enable = true;
   git.github.enable = true;
   git.gitlab.enable = true;
   secrets.vault.enable = true;

home/modules/ai-tools/claude-code.nix

@@ -1,60 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-let
-  cfg = config.ai-tools.claude-code;
-  rtk-version = "0.18.1";
-in
-{
-  options.ai-tools.claude-code.enable = lib.mkEnableOption "claude code with rtk and ccline";
-
-  config = lib.mkIf cfg.enable {
-    programs.claude-code.enable = true;
-
-    home.packages = with pkgs; [
-      (stdenv.mkDerivation {
-        name = "ccline";
-        src = fetchurl {
-          url = "https://github.com/Haleclipse/CCometixLine/releases/download/v1.0.8/ccline-linux-x64.tar.gz";
-          hash = "sha256-Joe3Dd6uSMGi66QT6xr2oY/Tz8rA5RuKa6ckBVJIzI0=";
-        };
-        unpackPhase = "tar xzf $src";
-        installPhase = ''
-          mkdir -p $out/bin
-          cp ccline $out/bin/
-          chmod +x $out/bin/ccline
-        '';
-        meta = {
-          description = "CCometixLine Linux x64 CLI (Claude Code statusline)";
-          homepage = "https://github.com/Haleclipse/CCometixLine";
-          license = lib.licenses.mit;
-          platforms = [ "x86_64-linux" ];
-        };
-      })
-      (stdenv.mkDerivation {
-        name = "rtk-${rtk-version}";
-        version = rtk-version;
-        src = fetchurl {
-          url = "https://github.com/rtk-ai/rtk/releases/download/v${rtk-version}/rtk-x86_64-unknown-linux-gnu.tar.gz";
-          hash = "sha256-XoTia5K8b00OzcKYCufwx8ApkAS31DxUCpGSU0jFs2Q=";
-        };
-        unpackPhase = "tar xzf $src";
-        installPhase = ''
-          mkdir -p $out/bin
-          cp rtk $out/bin/
-          chmod +x $out/bin/rtk
-        '';
-        meta = {
-          description = "RTK - AI coding tool enhancer";
-          homepage = "https://www.rtk-ai.app";
-          license = lib.licenses.mit;
-          platforms = [ "x86_64-linux" ];
-        };
-      })
-      mcp-nixos
-    ];
-  };
-}

home/modules/ai-tools/default.nix

@@ -1,8 +1,116 @@
 {
-  imports = [
-    ./claude-code.nix
-    ./opencode.nix
-    ./skills.nix
-    ./tirith.nix
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.ai-tools;
+  rtk-version = "0.18.1";
+in
+{
+  options.ai-tools = {
+    claude-code.enable = lib.mkEnableOption "claude code with rtk and ccline";
+    tirith.enable = lib.mkEnableOption "tirith shell security guard";
+    opencode.enable = lib.mkEnableOption "opencode";
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.claude-code.enable {
+      home.packages = with pkgs; [
+        claude-code
+        (pkgs.stdenv.mkDerivation {
+          name = "ccline";
+          src = pkgs.fetchurl {
+            url = "https://github.com/Haleclipse/CCometixLine/releases/download/v1.0.8/ccline-linux-x64.tar.gz";
+            hash = "sha256-Joe3Dd6uSMGi66QT6xr2oY/Tz8rA5RuKa6ckBVJIzI0=";
+          };
+
+          unpackPhase = ''
+            tar xzf $src
+          '';
+
+          installPhase = ''
+            mkdir -p $out/bin
+            cp ccline $out/bin/
+            chmod +x $out/bin/ccline
+          '';
+
+          meta = with pkgs.lib; {
+            description = "CCometixLine Linux x64 CLI (Claude Code statusline)";
+            homepage = "https://github.com/Haleclipse/CCometixLine";
+            license = licenses.mit;
+            platforms = [ "x86_64-linux" ];
+          };
+        })
+        (pkgs.stdenv.mkDerivation {
+          name = "rtk-${rtk-version}";
+          version = rtk-version;
+          src = pkgs.fetchurl {
+            url = "https://github.com/rtk-ai/rtk/releases/download/v${rtk-version}/rtk-x86_64-unknown-linux-gnu.tar.gz";
+            hash = "sha256-XoTia5K8b00OzcKYCufwx8ApkAS31DxUCpGSU0jFs2Q=";
+          };
+
+          unpackPhase = ''
+            tar xzf $src
+          '';
+
+          installPhase = ''
+            mkdir -p $out/bin
+            cp rtk $out/bin/
+            chmod +x $out/bin/rtk
+          '';
+
+          meta = with pkgs.lib; {
+            description = "RTK - AI coding tool enhancer";
+            homepage = "https://www.rtk-ai.app";
+            license = licenses.mit;
+            platforms = [ "x86_64-linux" ];
+          };
+        })
+        mcp-nixos
+      ];
+    })
+    (lib.mkIf cfg.tirith.enable {
+      home.packages = with pkgs; [
+        tirith
+      ];
+    })
+    (lib.mkIf (cfg.tirith.enable && cfg.claude-code.enable) {
+      home.file.".claude/hooks/tirith-check.py" = {
+        source = ./tirith-check.py;
+        executable = true;
+      };
+
+      home.activation.tirith-claude-code = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
+        ${pkgs.tirith}/bin/tirith setup claude-code --with-mcp --scope user --force 2>/dev/null || true
+      '';
+    })
+    (lib.mkIf cfg.opencode.enable {
+      home.packages = with pkgs; [
+        opencode
+      ];
+      home.file.".config/opencode/opencode.json".text = builtins.toJSON {
+        "$schema" = "https://opencode.ai/config.json";
+        permission = {
+          external_directory = {
+            "/run/secrets/" = "deny";
+            "~/.config/sops/age/keys.txt" = "deny";
+            "~/.ssh/id_rsa" = "deny";
+            "~/.ssh/id_ed25519" = "deny";
+            "~/.ssh/id_ecdsa" = "deny";
+            "~/.ssh/id_dsa" = "deny";
+            "/etc/ssh/ssh_host_rsa_key" = "deny";
+            "/etc/ssh/ssh_host_ed25519_key" = "deny";
+            "/etc/ssh/ssh_host_ecdsa_key" = "deny";
+            "/etc/ssh/ssh_host_dsa_key" = "deny";
+          };
+          command = {
+            sops = "deny";
+          };
+        };
+        plugin = [ "@mohak34/opencode-notifier@latest" ];
+      };
+    })
   ];
 }

home/modules/ai-tools/opencode.nix

@@ -1,40 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-let
-  cfg = config.ai-tools.opencode;
-in
-{
-  options.ai-tools.opencode = {
-    enable = lib.mkEnableOption "opencode";
-  };
-
-  config = lib.mkIf cfg.enable {
-    home.packages = [ pkgs.opencode ];
-
-    home.file.".config/opencode/opencode.json".text = builtins.toJSON {
-      "$schema" = "https://opencode.ai/config.json";
-      permission = {
-        external_directory = {
-          "/run/secrets/" = "deny";
-          "~/.config/sops/age/keys.txt" = "deny";
-          "~/.ssh/id_rsa" = "deny";
-          "~/.ssh/id_ed25519" = "deny";
-          "~/.ssh/id_ecdsa" = "deny";
-          "~/.ssh/id_dsa" = "deny";
-          "/etc/ssh/ssh_host_rsa_key" = "deny";
-          "/etc/ssh/ssh_host_ed25519_key" = "deny";
-          "/etc/ssh/ssh_host_ecdsa_key" = "deny";
-          "/etc/ssh/ssh_host_dsa_key" = "deny";
-        };
-        command = {
-          sops = "deny";
-        };
-      };
-      plugin = [ "@mohak34/opencode-notifier@latest" ];
-    };
-  };
-}

home/modules/ai-tools/skills.nix

@@ -1,49 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-let
-  cfg = config.ai-tools.claude-code;
-
-  skillType = lib.types.submodule {
-    options = {
-      owner = lib.mkOption { type = lib.types.str; };
-      repo = lib.mkOption { type = lib.types.str; };
-      rev = lib.mkOption { type = lib.types.str; };
-      hash = lib.mkOption { type = lib.types.str; };
-      skill = lib.mkOption { type = lib.types.str; };
-    };
-  };
-
-  fetchSkill =
-    skill:
-    let
-      src = pkgs.fetchFromGitHub {
-        inherit (skill)
-          owner
-          repo
-          rev
-          hash
-          ;
-      };
-    in
-    {
-      name = ".claude/skills/${skill.skill}";
-      value = {
-        source = "${src}/${skill.skill}";
-        recursive = true;
-      };
-    };
-in
-{
-  options.ai-tools.claude-code.skills = lib.mkOption {
-    type = lib.types.listOf skillType;
-    default = [ ];
-  };
-
-  config = lib.mkIf cfg.enable {
-    home.file = builtins.listToAttrs (map fetchSkill cfg.skills);
-  };
-}

home/modules/ai-tools/tirith.nix

@@ -1,30 +0,0 @@
-{
-  lib,
-  config,
-  pkgs,
-  ...
-}:
-let
-  cfg = config.ai-tools.tirith;
-in
-{
-  options.ai-tools.tirith = {
-    enable = lib.mkEnableOption "tirith shell security guard";
-  };
-
-  config = lib.mkMerge [
-    (lib.mkIf cfg.enable {
-      home.packages = [ pkgs.tirith ];
-    })
-    (lib.mkIf (cfg.enable && config.ai-tools.claude-code.enable) {
-      home.file.".claude/hooks/tirith-check.py" = {
-        source = ./tirith-check.py;
-        executable = true;
-      };
-
-      home.activation.tirith-claude-code = lib.hm.dag.entryAfter [ "writeBoundary" ] ''
-        ${pkgs.tirith}/bin/tirith setup claude-code --with-mcp --scope user --force 2>/dev/null || true
-      '';
-    })
-  ];
-}

home/modules/anki/default.nix

@@ -13,12 +13,10 @@ let
   standalone = osConfig == null;
 in
 lib.optionalAttrs standalone {
-  sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
-    anki = [
+  sops.secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "anki" [
     "sync-user"
     "sync-key"
-    ];
-  };
+  ] { };
 }
 // {
   warnings = lib.optional (

home/modules/database/default.nix

@@ -9,18 +9,14 @@
   options.database = {
     mssql.enable = lib.mkEnableOption "MSSQL";
     postgresql.enable = lib.mkEnableOption "PostgreSQL";
-    redis.enable = lib.mkEnableOption "Redis";
   };
 
   config = lib.mkMerge [
     (lib.mkIf config.database.mssql.enable {
-      home.packages = with pkgs; [ (config.nixgl.wrap dbeaver-bin) ];
+      home.packages = [ (config.nixgl.wrap pkgs.dbeaver-bin) ];
     })
     (lib.mkIf config.database.postgresql.enable {
-      home.packages = with pkgs; [ (config.nixgl.wrap pgadmin4-desktopmode) ];
-    })
-    (lib.mkIf config.database.postgresql.enable {
-      home.packages = with pkgs; [ redis ];
+      home.packages = [ (config.nixgl.wrap pkgs.pgadmin4-desktopmode) ];
     })
   ];
 }

home/modules/dconf/default.nix

@@ -3,7 +3,6 @@
 let
   terminal = "kitty";
   browser = config.browser.primary;
-  font = "${config.stylix.fonts.monospace.name} ${toString config.stylix.fonts.sizes.applications}";
 in
 {
   dconf.settings = {
@@ -41,9 +40,9 @@ in
       clock-show-weekday = true;
       color-scheme = "prefer-dark";
       enable-hot-corners = false;
-      # font-name = font;
+      font-name = "Iosevka Term SS08 12";
       locate-pointer = true;
-      monospace-font-name = font;
+      monospace-font-name = "Iosevka Term SS08 12";
     };
 
     "org/gnome/desktop/wm/keybindings" = {

home/modules/default.nix

@@ -6,19 +6,13 @@
 }:
 
 {
-  options = {
-    host.username = lib.mkOption {
-      type = lib.types.str;
-      default = config.home.username;
-    };
-
-    nixgl.wrap = lib.mkOption {
+  options.nixgl.wrap = lib.mkOption {
     type = lib.types.functionTo lib.types.package;
     default = if config.lib ? nixGL then config.lib.nixGL.wrap else lib.id;
     readOnly = true;
   };
 
-    wrapApp = lib.mkOption {
+  options.wrapApp = lib.mkOption {
     type = lib.types.raw;
     default =
       pkg: flags:
@@ -33,5 +27,4 @@
         pkg;
     readOnly = true;
   };
-  };
 }

home/modules/ssh/default.nix

@@ -1,15 +1,18 @@
 {
-  myUtils,
+  outputs,
   lib,
   pkgs,
   ...
 }:
 let
-  hostDir = ../../hosts;
-  hostNames = myUtils.dirNames hostDir;
+  nixosConfigs = builtins.attrNames outputs.nixosConfigurations;
+  homeConfigs = map (n: lib.last (lib.splitString "@" n)) (
+    builtins.attrNames outputs.homeConfigurations
+  );
+  allHosts = lib.unique (homeConfigs ++ nixosConfigs);
   hostsWithKeys = lib.filter (
-    hostname: builtins.pathExists (hostDir + "/${hostname}/ssh_host.pub")
-  ) hostNames;
+    hostname: builtins.pathExists ../../hosts/${hostname}/ssh_host.pub
+  ) allHosts;
 in
 {
   home.packages = with pkgs; [ sshfs ];
@@ -22,14 +25,15 @@ in
       lib.genAttrs hostsWithKeys (
         hostname:
         let
-          meta = myUtils.hostMeta (hostDir + "/${hostname}");
+          hostConfig = outputs.nixosConfigurations.${hostname}.config;
+          inherit (hostConfig.ssh) publicHostname username;
         in
         {
           host = hostname;
-          user = meta.deployment.targetUser;
+          user = username;
         }
-        // lib.optionalAttrs (meta.deployment.targetHost != "") {
-          hostname = meta.deployment.targetHost;
+        // lib.optionalAttrs (publicHostname != "") {
+          hostname = publicHostname;
         }
       )
       // {

home/modules/stylix/default.nix

@@ -25,6 +25,21 @@ in
       sansSerif = config.stylix.fonts.monospace;
       emoji = config.stylix.fonts.monospace;
     };
-    targets = import ../../../modules/stylix/targets.nix;
+    targets = {
+      firefox = {
+        profileNames = [ "default" ];
+        colorTheme.enable = true;
+      };
+      librewolf = {
+        profileNames = [ "default" ];
+        colorTheme.enable = true;
+      };
+      gnome.enable = false;
+      gtk.enable = false;
+      kitty = {
+        variant256Colors = true;
+      };
+      nixvim.enable = false;
+    };
   };
 }

home/modules/taskwarrior/default.nix

@@ -15,13 +15,11 @@ let
 in
 lib.optionalAttrs standalone {
   sops = {
-    secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" null {
-      taskwarrior = [
+    secrets = myUtils.mkSopsSecrets "${toString inputs.nix-secrets}/secrets" "taskwarrior" [
       "sync-server-url"
       "sync-server-client-id"
       "sync-encryption-secret"
-      ];
-    };
+    ] { };
 
     templates."taskrc.d/sync" = {
       content = ''

home/modules/tmux/default.nix

@@ -11,5 +11,9 @@
       enable = true;
       extraConfig = builtins.readFile (dotsPath + "/.config/tmux/tmux.conf");
     };
+
+    home.file = {
+      ".config/tmux/hooks/tmux.ssh.conf".source = dotsPath + "/.config/tmux/hooks/tmux.ssh.conf";
+    };
   };
 }

home/modules/zk/default.nix

@@ -1,45 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-
-let
-  cfg = config.zk;
-in
-{
-  options.zk = {
-    enable = lib.mkEnableOption "zettelkasten";
-    path = lib.mkOption {
-      type = lib.types.str;
-      default = config.home.homeDirectory + "/.zk";
-      description = "Path to the zettelkasten directory";
-    };
-  };
-
-  config = lib.mkIf cfg.enable {
-    home = {
-      sessionVariables.ZK_PATH = cfg.path;
-      packages = [
-        (pkgs.writeShellApplication {
-          name = "zk";
-          runtimeInputs = with pkgs; [ tmux ];
-          text = builtins.readFile ./scripts/zk.sh;
-        })
-
-        (pkgs.writeShellApplication {
-          name = "save-zk";
-          runtimeInputs = with pkgs; [ git ];
-          text = builtins.readFile ./scripts/save-zk.sh;
-        })
-
-        (pkgs.writeShellApplication {
-          name = "setup-zk";
-          runtimeInputs = with pkgs; [ gh ];
-          text = builtins.readFile ./scripts/setup-zk.sh;
-        })
-      ];
-    };
-  };
-}

home/modules/zk/scripts/save-zk.sh

@@ -1,2 +0,0 @@
-cd "$ZK_PATH" || { echo "No zettelkasten directory found"; exit 1; }
-git add . && git commit -m "Update" && git push

home/modules/zk/scripts/setup-zk.sh

@@ -1,13 +0,0 @@
-if [ ! -d "$ZK_PATH" ]; then
-  echo "[zk] Setting up zettelkasten"
-  gh repo clone zk "$ZK_PATH"
-else
-  echo "[zk] Zettelkasten already set up."
-fi
-
-read -p "Would you like open your zettelkasten? [y/N] " -n 1 -r
-echo
-
-if [[ $REPLY =~ ^[Yy]$ ]]; then
-  $EDITOR "$ZK_PATH"
-fi

hosts/andromache/default.nix

@@ -51,16 +51,31 @@ in
     ../../modules/yubikey
   ];
 
-  home-manager.users.${config.host.username} = import ../../home/hosts/${config.host.name};
+  home-manager.users.${config.host.username} = import ../../home/hosts/andromache {
+    inherit
+      inputs
+      config
+      pkgs
+      lib
+      ;
+  };
 
-  secrets.nixSigningKey.enable = true;
+  ssh.username = config.host.username;
+  ssh.authorizedHosts = [ "astyanax" ];
+
+  secrets = {
+    inherit (config.host) username;
+    nixSigningKey.enable = true;
+  };
 
-  restic-backup.enable = true;
   tailscale.enable = true;
 
-  docker.enable = true;
+  docker.user = config.host.username;
 
-  hcloud.enable = true;
+  hcloud = {
+    enable = true;
+    inherit (config.host) username;
+  };
 
   disko.devices = {
     disk.data = {
@@ -92,6 +107,7 @@ in
 
   my.yubikey = {
     enable = false;
+    inherit (config.host) username;
     keys = [
       {
         handle = "<KeyHandle1>";

hosts/andromache/host.nix

@@ -1,7 +1,6 @@
 {
   host = {
     username = "h";
-    highRam = true;
-    admin = true;
+    name = "andromache";
   };
 }

hosts/andromache/meta.nix

@@ -1,9 +1,4 @@
 {
-  system = "x86_64-linux";
-  deployment = {
-    tags = [ "local" ];
-    targetHost = "";
-    targetUser = "h";
-  };
+  deployment.tags = [ "local" ];
   role = "desktop";
 }

hosts/andromache/system.nix

@@ -0,0 +1 @@
+"x86_64-linux"

hosts/astyanax/default.nix

@@ -47,14 +47,26 @@ in
     ../../modules/yubikey
   ];
 
-  home-manager.users.${config.host.username} = import ../../home/hosts/${config.host.name};
+  home-manager.users.${config.host.username} = import ../../home/hosts/astyanax {
+    inherit
+      inputs
+      config
+      pkgs
+      lib
+      ;
+  };
 
-  secrets.nixSigningKey.enable = true;
+  ssh.username = config.host.username;
+  ssh.authorizedHosts = [ "andromache" ];
+
+  secrets = {
+    inherit (config.host) username;
+    nixSigningKey.enable = true;
+  };
 
-  restic-backup.enable = true;
   tailscale.enable = true;
-  docker.enable = true;
-  nfc.enable = true;
+  docker.user = config.host.username;
+  nfc.user = config.host.username;
   desktop.ly.enable = true;
   audio.automation.enable = true;
 

hosts/astyanax/host.nix

@@ -1,7 +1,6 @@
 {
   host = {
     username = "h";
-    highRam = true;
-    admin = true;
+    name = "astyanax";
   };
 }

hosts/astyanax/meta.nix

@@ -1,9 +1,4 @@
 {
-  system = "x86_64-linux";
-  deployment = {
-    tags = [ "local" ];
-    targetHost = "";
-    targetUser = "h";
-  };
+  deployment.tags = [ "local" ];
   role = "laptop";
 }

hosts/astyanax/system.nix

@@ -0,0 +1 @@
+"x86_64-linux"

hosts/eetion-02/default.nix

@@ -11,6 +11,15 @@
     ../../modules/ssh
   ];
 
+  ssh = {
+    inherit (config.host) username;
+    publicHostname = config.host.name;
+    authorizedHosts = [
+      "andromache"
+      "astyanax"
+    ];
+  };
+
   boot = {
     kernelParams = [
       "console=ttyS1,115200n8"

hosts/eetion-02/host.nix

@@ -1,5 +1,6 @@
 {
   host = {
     username = "h";
+    name = "eetion-02";
   };
 }

hosts/eetion-02/meta.nix

@@ -1,9 +1,4 @@
 {
-  system = "aarch64-linux";
-  deployment = {
-    tags = [ "arm" ];
-    targetHost = "eetion-02";
-    targetUser = "h";
-  };
+  deployment.tags = [ "arm" ];
   role = "embedded";
 }

hosts/eetion-02/system.nix

@@ -0,0 +1 @@
+"aarch64-linux"

hosts/eetion/default.nix

@@ -9,11 +9,17 @@
     ./host.nix
     ../../modules/common
     ../../modules/ssh
-    ../../modules/tailscale
     # ../../modules/uptime-kuma
   ];
 
-  tailscale.enable = true;
+  ssh = {
+    inherit (config.host) username;
+    publicHostname = config.host.name;
+    authorizedHosts = [
+      "andromache"
+      "astyanax"
+    ];
+  };
 
   boot.loader = {
     grub.enable = false;

hosts/eetion/host.nix

@@ -1,5 +1,6 @@
 {
   host = {
     username = "h";
+    name = "eetion";
   };
 }

hosts/eetion/meta.nix

@@ -1,9 +1,4 @@
 {
-  system = "aarch64-linux";
-  deployment = {
-    tags = [ "arm" ];
-    targetHost = "eetion";
-    targetUser = "h";
-  };
+  deployment.tags = [ "arm" ];
   role = "embedded";
 }

hosts/eetion/system.nix

@@ -0,0 +1 @@
+"aarch64-linux"

hosts/hecuba/default.nix

@@ -18,7 +18,16 @@
   ];
 
   networking.hostName = config.host.name;
-  docker.enable = true;
+  ssh = {
+    inherit (config.host) username;
+    publicHostname = "server.hektormisplon.xyz";
+    authorizedHosts = [
+      "andromache"
+      "astyanax"
+    ];
+  };
+
+  docker.user = config.host.username;
 
   fileSystems."/" = {
     device = "/dev/disk/by-label/nixos";

hosts/hecuba/host.nix

@@ -1,5 +1,6 @@
 {
   host = {
     username = "username";
+    name = "hecuba";
   };
 }

hosts/hecuba/meta.nix

@@ -1,9 +1,4 @@
 {
-  system = "x86_64-linux";
-  deployment = {
-    tags = [ "cloud" ];
-    targetHost = "server.hektormisplon.xyz";
-    targetUser = "username";
-  };
+  deployment.tags = [ "cloud" ];
   role = "server";
 }

hosts/hecuba/system.nix

@@ -0,0 +1 @@
+"x86_64-linux"

hosts/vm/default.nix

@@ -1,6 +1,7 @@
 {
   inputs,
   config,
+  pkgs,
   ...
 }:
 {
@@ -28,7 +29,13 @@
     ../../modules/x
   ];
 
-  home-manager.users.${config.host.username} = import ../../home/hosts/vm;
+  home-manager.users.${config.host.username} = import ../../home/hosts/vm {
+    inherit inputs config pkgs;
+  };
+
+  ssh.username = config.host.username;
+
+  secrets.username = config.host.username;
 
   disko = {
     devices.disk.main = {

hosts/vm/host.nix

@@ -1,5 +1,6 @@
 {
   host = {
     username = "h";
+    name = "vm";
   };
 }

hosts/vm/meta.nix

@@ -1,9 +1,4 @@
 {
-  system = "x86_64-linux";
-  deployment = {
-    tags = [ "local" ];
-    targetHost = "";
-    targetUser = "h";
-  };
+  deployment.tags = [ "local" ];
   role = "vm";
 }

hosts/vm/system.nix

@@ -0,0 +1 @@
+"x86_64-linux"

images/sd-image-orange-pi-aarch64.nix

@@ -12,14 +12,14 @@ let
 in
 {
   imports = [
-    ../modules/common/host.nix
     ../modules/ssh
   ];
 
-  host = {
-    inherit username;
-    name = "orange-pi";
-  };
+  ssh.username = username;
+  ssh.authorizedHosts = [
+    "andromache"
+    "astyanax"
+  ];
 
   nix.settings.experimental-features = [
     "nix-command"

images/sd-image-raspberry-pi-aarch64.nix

@@ -12,14 +12,14 @@ let
 in
 {
   imports = [
-    ../modules/common/host.nix
     ../modules/ssh
   ];
 
-  host = {
-    inherit username;
-    name = "raspberry-pi";
-  };
+  ssh.username = username;
+  ssh.authorizedHosts = [
+    "andromache"
+    "astyanax"
+  ];
 
   boot.kernelParams = [
     "console=ttyS1,115200n8"

modules/ai-tools/default.nix

@@ -1,15 +1,14 @@
-{ config, ... }:
+{ config, myUtils, ... }:
 
 let
-  inherit (config.host) username;
-  inherit (config.secrets) owner;
+  inherit (config.secrets) sopsDir username;
+  owner = config.users.users.${username}.name;
 in
 {
-  config = {
-    nixpkgs.allowedUnfree = [ "claude-code" ];
-    secrets.groups.opencode = [ "api-key" ];
+  config.sops = {
+    secrets = myUtils.mkSopsSecrets sopsDir "opencode" [ "api-key" ] { inherit owner; };
 
-    sops.templates."opencode/auth.json" = {
+    templates."opencode/auth.json" = {
       inherit owner;
       path = "/home/${username}/.local/share/opencode/auth.json";
       content = ''

modules/anki/default.nix

@@ -1,6 +1,11 @@
+{ config, myUtils, ... }:
+
+let
+  inherit (config.secrets) sopsDir username;
+  owner = config.users.users.${username}.name;
+in
 {
-  config.secrets.groups.anki = [
-    "sync-user"
-    "sync-key"
-  ];
+  config.sops = {
+    secrets = myUtils.mkSopsSecrets sopsDir "anki" [ "sync-user" "sync-key" ] { inherit owner; };
+  };
 }

modules/backups/default.nix

@@ -1,16 +1,21 @@
 {
   lib,
   config,
+  myUtils,
   ...
 }:
 
 let
   cfg = config.restic-backup;
-  host = config.networking.hostName;
+  inherit (config.secrets) sopsDir;
 in
 {
-  options.restic-backup = {
-    enable = lib.mkEnableOption "restic backups";
+  options = {
+    restic-backup = {
+      repository = lib.mkOption {
+        type = lib.types.str;
+        default = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${config.networking.hostName}";
+      };
 
       passwordFile = lib.mkOption {
         type = lib.types.str;
@@ -22,32 +27,31 @@ in
         default = [ "/home" ];
       };
     };
+  };
 
-  config = lib.mkIf cfg.enable {
-    secrets.groups = {
-      restic = [ "password" ];
-      backblaze-b2 = [
-        "bucket-name"
-        "account-id"
-        "account-key"
+  config = {
+    sops = {
+      secrets = lib.mkMerge [
+        (myUtils.mkSopsSecrets sopsDir "restic" [ "password" ] { })
+        (myUtils.mkSopsSecrets sopsDir "backblaze-b2" [ "bucket-name" "account-id" "account-key" ] { })
       ];
+      templates = {
+        "restic/repo-${config.networking.hostName}" = {
+          content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${config.networking.hostName}";
         };
-
-    sops.templates = {
-      "restic/repo-${host}" = {
-        content = "b2:${config.sops.placeholder."backblaze-b2/bucket-name"}:${host}";
-      };
-      "restic/b2-env-${host}" = {
+        "restic/b2-env-${config.networking.hostName}" = {
           content = ''
             B2_ACCOUNT_ID=${config.sops.placeholder."backblaze-b2/account-id"}
             B2_ACCOUNT_KEY=${config.sops.placeholder."backblaze-b2/account-key"}
           '';
         };
       };
+    };
 
     services.restic.backups.home = {
-      repositoryFile = config.sops.templates."restic/repo-${host}".path;
-      inherit (cfg) passwordFile paths;
+      repositoryFile = config.sops.templates."restic/repo-${config.networking.hostName}".path;
+      inherit (cfg) passwordFile;
+      inherit (cfg) paths;
       timerConfig = {
         OnCalendar = "daily";
         Persistent = true;
@@ -60,7 +64,7 @@ in
         "--keep-monthly 6"
         "--keep-yearly 1"
       ];
-      environmentFile = config.sops.templates."restic/b2-env-${host}".path;
+      environmentFile = config.sops.templates."restic/b2-env-${config.networking.hostName}".path;
     };
   };
 }

modules/boot/bootloader.nix

@@ -1,11 +1,4 @@
-{ config, ... }:
-
 {
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    tmp.useTmpfs = config.host.highRam;
-  };
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
 }

modules/common/default.nix

@@ -73,11 +73,6 @@ in
           myUtils
           ;
       };
-      sharedModules = [
-        {
-          host.username = lib.mkDefault config.host.username;
-        }
-      ];
     };
   };
 }

modules/common/host.nix

@@ -19,15 +19,5 @@
       type = lib.types.str;
       default = "en_US.UTF-8";
     };
-
-    highRam = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-    };
-
-    admin = lib.mkOption {
-      type = lib.types.bool;
-      default = false;
-    };
   };
 }

modules/desktops/logind.nix

@@ -1,7 +0,0 @@
-{
-  services.logind.settings.Login = {
-    HandleLidSwitch = "suspend";
-    IdleAction = "suspend";
-    IdleActionSec = 1800;
-  };
-}

modules/desktops/niri/default.nix

@@ -9,8 +9,6 @@ let
   cfg = config.desktop;
 in
 {
-  imports = [ ../logind.nix ];
-
   options.desktop = {
     ly = {
       enable = lib.mkOption {
@@ -37,23 +35,15 @@ in
       ];
     };
 
-    #  error:
-    #  Failed assertions:
-    #  - h profile: xdg.portal: since you installed Home Manager via its NixOS module and
-    #  'home-manager.useUserPackages' is enabled, you need to add
-    #
-    #  environment.pathsToLink = [ `/share/applications` `/share/xdg-desktop-portal` ];
-    #
-    #  to your NixOS configuration so that the portal definitions and DE
-    #  provided configurations get linked.
-    environment.pathsToLink = [
-      "/share/applications"
-      "/share/xdg-desktop-portal"
-    ];
-
     services = {
       gnome.gnome-keyring.enable = false;
       dbus.enable = true;
+      logind.settings.Login = {
+        HandleLidSwitch = "suspend";
+        IdleAction = "suspend";
+        IdleActionSec = 1800;
+      };
+
       displayManager.ly = lib.mkIf cfg.ly.enable {
         enable = true;
       };

modules/docker/default.nix

@@ -2,17 +2,29 @@
 
 let
   cfg = config.docker;
-  inherit (config.host) username;
 in
 {
   options.docker = {
-    enable = lib.mkEnableOption "docker";
     rootless = lib.mkOption {
       type = lib.types.bool;
       default = false;
     };
+    user = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
+    };
   };
   config = lib.mkMerge [
+    {
+      warnings = lib.flatten [
+        (lib.optional (
+          cfg.rootless && cfg.user != null
+        ) "'virtualisation.docker.user' is ignored when rootless mode is enabled")
+        (lib.optional (
+          !cfg.rootless && cfg.user == null
+        ) "'virtualisation.docker.user' is not set (no user is added to the docker group)")
+      ];
+    }
     (lib.mkIf cfg.rootless {
       virtualisation.docker = {
         enable = false;
@@ -22,9 +34,11 @@ in
         };
       };
     })
-    (lib.mkIf (cfg.enable && !cfg.rootless) {
-      virtualisation.docker.enable = true;
-      users.users.${username}.extraGroups = [ "docker" ];
+    (lib.mkIf (!cfg.rootless && cfg.user != null) {
+      virtualisation.docker = {
+        enable = true;
+      };
+      users.users.${cfg.user}.extraGroups = [ "docker" ];
     })
   ];
 }

modules/gaming/default.nix

@@ -29,7 +29,7 @@
   programs.gamemode.enable = true;
 
   environment.systemPackages = with pkgs; [
-    # lutris
+    lutris
     mangohud
   ];
 

modules/git/default.nix

@@ -4,7 +4,7 @@
 }:
 
 let
-  inherit (config.host) username;
+  inherit (config.secrets) username;
   owner = config.users.users.${username}.name;
 in
 {

modules/hcloud/default.nix

@@ -1,25 +1,31 @@
 {
   lib,
   config,
+  myUtils,
   ...
 }:
 
 let
   cfg = config.hcloud;
-  inherit (config.host) username;
-  inherit (config.secrets) owner;
+  inherit (config.secrets) sopsDir;
 in
 {
   options.hcloud = {
     enable = lib.mkEnableOption "hcloud CLI configuration";
+    username = lib.mkOption {
+      type = lib.types.str;
+      description = "Username for hcloud CLI configuration";
+    };
   };
 
   config = lib.mkIf cfg.enable {
-    secrets.groups.hcloud = [ "api-token" ];
+    sops.secrets = myUtils.mkSopsSecrets sopsDir "hcloud" [ "api-token" ] {
+      owner = config.users.users.${cfg.username}.name;
+    };
 
     sops.templates."hcloud/cli.toml" = {
-      inherit owner;
-      path = "/home/${username}/.config/hcloud/cli.toml";
+      owner = config.users.users.${cfg.username}.name;
+      path = "/home/${cfg.username}/.config/hcloud/cli.toml";
       content = ''
         active_context = "server"
 

modules/nfc/default.nix

@@ -2,13 +2,15 @@
 
 let
   cfg = config.nfc;
-  inherit (config.host) username;
 in
 {
   options.nfc = {
-    enable = lib.mkEnableOption "NFC device access";
+    user = lib.mkOption {
+      type = lib.types.nullOr lib.types.str;
+      default = null;
     };
-  config = lib.mkIf cfg.enable {
-    users.users.${username}.extraGroups = [ "dialout" ];
+  };
+  config = lib.mkIf (cfg.user != null) {
+    users.users.${cfg.user}.extraGroups = [ "dialout" ];
   };
 }

modules/secrets/default.nix

@@ -9,29 +9,24 @@
 
 let
   cfg = config.secrets;
-  inherit (config.host) username;
   inherit (cfg) sopsDir;
-  owner = config.users.users.${username}.name;
+  owner = config.users.users.${cfg.username}.name;
+  mkSopsSecrets = myUtils.mkSopsSecrets sopsDir;
 in
 {
   imports = [ inputs.sops-nix.nixosModules.sops ];
 
   options = {
     secrets = {
+      username = lib.mkOption {
+        type = lib.types.str;
+      };
+
       sopsDir = lib.mkOption {
         type = lib.types.str;
         default = "${toString inputs.nix-secrets}/secrets";
       };
 
-      groups = lib.mkOption {
-        type = lib.types.attrsOf (lib.types.listOf lib.types.str);
-        default = { };
-      };
-
-      owner = lib.mkOption {
-        type = lib.types.unspecified;
-      };
-
       nixSigningKey = {
         enable = lib.mkEnableOption "nix signing key configuration";
       };
@@ -43,28 +38,27 @@ in
   };
 
   config = {
-    secrets = {
-      inherit owner;
-      groups = {
-        email = [
-          "personal"
-          "work"
-        ];
-        nix = lib.optional cfg.nixSigningKey.enable "signing-key";
-      };
-    };
-
     sops = {
       # for yubikey, generate as follows:
       # ```
       # age-plugin-yubikey --identity > <keyfile-path>
       # ```
-      age.keyFile = "/home/${username}/.config/sops/age/keys.txt";
-      secrets = myUtils.mkSopsSecrets sopsDir owner cfg.groups;
+      age.keyFile = "/home/${cfg.username}/.config/sops/age/keys.txt";
+
+      secrets = lib.mkMerge [
+        (mkSopsSecrets "email" [ "personal" "work" ] { inherit owner; })
+        (lib.mkIf cfg.nixSigningKey.enable {
+          nix-signing-key = {
+            sopsFile = "${sopsDir}/nix.yaml";
+            key = "signing-key";
+            inherit owner;
+          };
+        })
+      ];
     };
 
     nix.settings.secret-key-files = lib.mkIf cfg.nixSigningKey.enable [
-      config.sops.secrets."nix/signing-key".path
+      config.sops.secrets.nix-signing-key.path
     ];
 
     services = {

modules/ssh/authorized-keys.nix

@@ -1,29 +1,28 @@
-{
-  lib,
-  config,
-  ...
-}:
-
-let
-  inherit (config.host) username;
-  adminHosts = (import ../../utils { inherit lib; }).adminHosts ../../hosts;
-in
+{ lib, config, ... }:
 {
   options.ssh = {
     authorizedHosts = lib.mkOption {
       type = lib.types.listOf lib.types.str;
       default = [ ];
     };
+    username = lib.mkOption {
+      type = lib.types.str;
+      default = "h";
+    };
+    publicHostname = lib.mkOption {
+      type = lib.types.str;
+      default = "";
+    };
   };
 
   # auto generate authorized_keys from `authorizedHosts`
-  config.users.users.${username}.openssh.authorizedKeys.keys = lib.flatten (
+  config.users.users.${config.ssh.username}.openssh.authorizedKeys.keys = lib.flatten (
     map (
       hostname:
       let
         keyFile = ../../hosts/${hostname}/ssh_user.pub;
       in
       lib.optionals (builtins.pathExists keyFile) (lib.splitString "\n" (builtins.readFile keyFile))
-    ) ((builtins.filter (h: h != config.host.name) adminHosts) ++ config.ssh.authorizedHosts)
+    ) config.ssh.authorizedHosts
   );
 }

modules/ssh/extract-keys.nix

@@ -1,6 +1,6 @@
 { lib, config, ... }:
 let
-  inherit (config.host) username;
+  inherit (config.ssh) username;
 in
 {
   # auto extract SSH keys

modules/stylix/default.nix

@@ -30,7 +30,20 @@ in
 
   home-manager.sharedModules = [
     {
-      stylix.targets = import ./targets.nix;
+      stylix.targets = {
+        firefox = {
+          profileNames = [ "default" ];
+          colorTheme.enable = true;
+        };
+        librewolf = {
+          profileNames = [ "default" ];
+          colorTheme.enable = true;
+        };
+        kitty.variant256Colors = true;
+        gnome.enable = false;
+        gtk.enable = false;
+        nixvim.enable = false;
+      };
     }
   ];
 }

modules/stylix/targets.nix

@@ -1,14 +0,0 @@
-{
-  firefox = {
-    profileNames = [ "default" ];
-    colorTheme.enable = true;
-  };
-  librewolf = {
-    profileNames = [ "default" ];
-    colorTheme.enable = true;
-  };
-  kitty.variant256Colors = true;
-  gnome.enable = false;
-  gtk.enable = false;
-  nixvim.enable = false;
-}

modules/syncthing/default.nix

@@ -7,18 +7,23 @@
 with lib;
 
 let
-  inherit (config.host) username;
+  cfg = config.my.syncthing;
 in
 {
+  options.my.syncthing.username = mkOption {
+    type = types.str;
+    default = "h";
+  };
+
   config = {
-    users.groups.${username} = { };
-    users.users.${username}.extraGroups = [ username ];
+    users.groups.${cfg.username} = { };
+    users.users.${cfg.username}.extraGroups = [ cfg.username ];
 
     services.syncthing = {
       enable = true;
-      user = username;
-      group = username;
-      configDir = "/home/${username}/.local/state/syncthing";
+      user = cfg.username;
+      group = cfg.username;
+      configDir = "/home/${cfg.username}/.local/state/syncthing";
       openDefaultPorts = true;
     };
   };

modules/taskwarrior/default.nix

@@ -1,17 +1,18 @@
-{ config, ... }:
+{ config, myUtils, ... }:
 
 let
-  inherit (config.secrets) owner;
+  inherit (config.secrets) sopsDir username;
+  owner = config.users.users.${username}.name;
 in
 {
-  config = {
-    secrets.groups.taskwarrior = [
+  config.sops = {
+    secrets = myUtils.mkSopsSecrets sopsDir "taskwarrior" [
       "sync-server-url"
       "sync-server-client-id"
       "sync-encryption-secret"
-    ];
+    ] { inherit owner; };
 
-    sops.templates."taskrc.d/sync" = {
+    templates."taskrc.d/sync" = {
       inherit owner;
       content = ''
         sync.server.url=${config.sops.placeholder."taskwarrior/sync-server-url"}

modules/yubikey/default.nix

@@ -9,14 +9,18 @@ with lib;
 
 let
   cfg = config.my.yubikey;
-  inherit (config.host) username;
   formatKey = key: ":${key.handle},${key.userKey},${key.coseType},${key.options}";
-  authfileContent = u: keys: u + lib.concatMapStrings formatKey keys;
+  authfileContent = username: keys: username + lib.concatMapStrings formatKey keys;
 in
 {
   options.my.yubikey = {
     enable = mkEnableOption "yubiKey U2F authentication";
 
+    username = mkOption {
+      type = types.str;
+      default = "h";
+    };
+
     origin = mkOption {
       type = types.str;
       default = "pam://yubi";
@@ -57,7 +61,7 @@ in
           interactive = true;
           cue = true;
           inherit (cfg) origin;
-          authfile = pkgs.writeText "u2f-mappings" (authfileContent username cfg.keys);
+          authfile = pkgs.writeText "u2f-mappings" (authfileContent cfg.username cfg.keys);
         };
       };
       services = {

utils/default.nix

@@ -1,8 +1,41 @@
 { lib }:
 
-let
-  fs = import ./fs.nix { inherit lib; };
-  hosts = import ./hosts.nix { inherit lib; };
-  secrets = import ./secrets.nix { inherit lib; };
-in
-fs // hosts // secrets
+{
+  dirNames =
+    path: builtins.attrNames (lib.filterAttrs (_: type: type == "directory") (builtins.readDir path));
+
+  hostMeta =
+    hostDir:
+    if builtins.pathExists (hostDir + "/meta.nix") then
+      import (hostDir + "/meta.nix")
+    else
+      throw "meta.nix required in ${hostDir}";
+
+  mkSopsSecrets =
+    sopsDir: group: names: extraOpts:
+    let
+      file = "${group}.yaml";
+    in
+    lib.foldl' lib.mergeAttrs { } (
+      map (name: {
+        "${group}/${name}" = {
+          sopsFile = "${sopsDir}/${file}";
+          key = name;
+        }
+        // extraOpts;
+      }) names
+    );
+
+  sopsAvailability =
+    config: osConfig:
+    let
+      osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? secrets;
+      hmSopsAvailable = config ? sops && config.sops ? secrets;
+      preferOs = osSopsAvailable;
+    in
+    {
+      available = osSopsAvailable || hmSopsAvailable;
+      secrets = if preferOs then osConfig.sops.secrets else config.sops.secrets;
+      templates = if preferOs then osConfig.sops.templates else config.sops.templates;
+    };
+}

utils/fs.nix

@@ -1,6 +0,0 @@
-{ lib }:
-
-{
-  dirNames =
-    path: builtins.attrNames (lib.filterAttrs (_: t: t == "directory") (builtins.readDir path));
-}

utils/hosts.nix

@@ -1,19 +0,0 @@
-{ lib }:
-
-let
-  fs = import ./fs.nix { inherit lib; };
-in
-{
-  hostMeta =
-    hostDir:
-    if builtins.pathExists (hostDir + "/meta.nix") then
-      import (hostDir + "/meta.nix")
-    else
-      throw "meta.nix required in ${hostDir}";
-
-  adminHosts =
-    hostsPath:
-    builtins.filter (host: ((import (hostsPath + "/${host}/host.nix")).host.admin or false)) (
-      fs.dirNames hostsPath
-    );
-}

utils/secrets.nix

@@ -1,37 +0,0 @@
-{ lib }:
-
-{
-  mkSopsSecrets =
-    sopsDir: owner: groups:
-    let
-      opts = lib.optionalAttrs (owner != null) { inherit owner; };
-      mkGroup =
-        group: names:
-        let
-          file = "${group}.yaml";
-        in
-        lib.foldl' lib.mergeAttrs { } (
-          map (name: {
-            "${group}/${name}" = {
-              sopsFile = "${sopsDir}/${file}";
-              key = name;
-            }
-            // opts;
-          }) names
-        );
-    in
-    lib.foldl' lib.mergeAttrs { } (lib.mapAttrsToList mkGroup groups);
-
-  sopsAvailability =
-    config: osConfig:
-    let
-      osSopsAvailable = osConfig != null && osConfig ? sops && osConfig.sops ? secrets;
-      hmSopsAvailable = config ? sops && config.sops ? secrets;
-      preferOs = osSopsAvailable;
-    in
-    {
-      available = osSopsAvailable || hmSopsAvailable;
-      secrets = if preferOs then osConfig.sops.secrets else config.sops.secrets;
-      templates = if preferOs then osConfig.sops.templates else config.sops.templates;
-    };
-}